From aa0f4d0f6dabdad205aafb68034c1f690aed7778 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 24 Jul 2024 13:57:29 +0100 Subject: [PATCH] section4 v2 initial Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.1.x.yml | 101 ----------- tasks/section_4/cis_4.1.2.x.yml | 66 -------- tasks/section_4/cis_4.1.3.x.yml | 292 -------------------------------- tasks/section_4/cis_4.1.4.x.yml | 183 -------------------- tasks/section_4/cis_4.1.x.yml | 59 +++++++ tasks/section_4/cis_4.2.1.x.yml | 215 ----------------------- tasks/section_4/cis_4.2.2.x.yml | 200 ---------------------- tasks/section_4/cis_4.2.3.yml | 31 ---- tasks/section_4/cis_4.2.x.yml | 45 +++++ tasks/section_4/cis_4.3.x.yml | 189 +++++++++++++++++++++ tasks/section_4/cis_4.3.yml | 56 ------ tasks/section_4/main.yml | 38 +---- 12 files changed, 301 insertions(+), 1174 deletions(-) delete mode 100644 tasks/section_4/cis_4.1.1.x.yml delete mode 100644 tasks/section_4/cis_4.1.2.x.yml delete mode 100644 tasks/section_4/cis_4.1.3.x.yml delete mode 100644 tasks/section_4/cis_4.1.4.x.yml create mode 100644 tasks/section_4/cis_4.1.x.yml delete mode 100644 tasks/section_4/cis_4.2.1.x.yml delete mode 100644 tasks/section_4/cis_4.2.2.x.yml delete mode 100644 tasks/section_4/cis_4.2.3.yml create mode 100644 tasks/section_4/cis_4.2.x.yml create mode 100644 tasks/section_4/cis_4.3.x.yml delete mode 100644 tasks/section_4/cis_4.3.yml diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml deleted file mode 100644 index 3d0082a..0000000 --- a/tasks/section_4/cis_4.1.1.x.yml +++ /dev/null @@ -1,101 +0,0 @@ ---- - -- name: "4.1.1.1 | PATCH | Ensure auditd is installed" - block: - - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd packages" - ansible.builtin.package: - name: audit - state: present - when: '"auditd" not in ansible_facts.packages' - - - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages" - ansible.builtin.package: - name: audit-libs - state: present - when: '"auditd-lib" not in ansible_facts.packages' - when: - - rhel9cis_rule_4_1_1_1 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.1.1 - -- name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - block: - - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby existence of current value" - ansible.builtin.shell: grubby --info=ALL | grep args | sed -n 's/.*audit=\([[:alnum:]]\+\).*/\1/p' - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_4_1_1_2_grubby_curr_value_audit_linux - - - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed" - ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" - when: - - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout == '' or - '0' in rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout or - 'off' in rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout|lower - when: - - rhel9cis_rule_4_1_1_2 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - grub - - rule_4.1.1.2 - -- name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" - block: - - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby existence of current value" - ansible.builtin.shell: - cmd: 'grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"' - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux - - - name: "4.1.1.3 | AUDIT | Check to see if limits are set" - ansible.builtin.set_fact: - rhel9cis_4_1_1_3_reset_backlog_limits: true - when: - - rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux is not defined or - rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux.stdout_lines == [] - - - name: "4.1.1.3 | AUDIT | Check to see if any limits are too low" - ansible.builtin.set_fact: - rhel9cis_4_1_1_3_reset_backlog_limits: true - when: - - (item | int < rhel9cis_audit_back_log_limit) - loop: "{{ rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux.stdout_lines }}" - - - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied" - ansible.builtin.shell: - cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' - when: - - rhel9cis_4_1_1_3_reset_backlog_limits is defined - when: - - rhel9cis_rule_4_1_1_3 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - grub - - rule_4.1.1.3 - -- name: "4.1.1.4 | PATCH | Ensure auditd service is enabled" - ansible.builtin.systemd: - name: auditd - state: started - enabled: true - when: - - rhel9cis_rule_4_1_1_4 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.1.4 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml deleted file mode 100644 index 8370114..0000000 --- a/tasks/section_4/cis_4.1.2.x.yml +++ /dev/null @@ -1,66 +0,0 @@ ---- - -- name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" - ansible.builtin.lineinfile: - path: /etc/audit/auditd.conf - regexp: "^max_log_file( |=)" - line: "max_log_file = {{ rhel9cis_auditd['max_log_file'] }}" - notify: Restart auditd - when: - - rhel9cis_rule_4_1_2_1 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.2.1 - -- name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" - ansible.builtin.lineinfile: - path: /etc/audit/auditd.conf - regexp: "^max_log_file_action" - line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" - notify: Restart auditd - when: - - rhel9cis_rule_4_1_2_2 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.2.2 - -- name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" - ansible.builtin.lineinfile: - path: /etc/audit/auditd.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: Restart auditd - loop: - - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } - - { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' } - - { regexp: '^space_left_action', line: 'space_left_action = {{ rhel9cis_auditd.space_left_action }}' } - when: - - rhel9cis_rule_4_1_2_3 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.2.3 - -- name: PATCH | Configure other keys for auditd.conf - ansible.builtin.lineinfile: - path: /etc/audit/auditd.conf - regexp: "^{{ item }}( |=)" - line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}" - loop: "{{ rhel9cis_auditd_extra_conf.keys() }}" - notify: Restart auditd - when: - - rhel9cis_auditd_extra_conf.keys() | length > 0 - - rhel9cis_auditd_extra_conf_usage - tags: - - level2-server - - level2-workstation - - patch - - auditd diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml deleted file mode 100644 index 2c8746a..0000000 --- a/tasks/section_4/cis_4.1.3.x.yml +++ /dev/null @@ -1,292 +0,0 @@ ---- - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_1 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.1 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_2 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.2 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_3 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.3 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_4 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.4 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_5 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.5 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - block: - - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done - changed_when: false - failed_when: false - check_mode: false - register: priv_procs - - - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - ansible.builtin.set_fact: - update_audit_template: true - notify: update auditd - when: - - rhel9cis_rule_4_1_3_6 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.6 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_7 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.7 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_8 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.8 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_9 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.9 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_10 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.10 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_11 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.11 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_12 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.12 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_13 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.3.13 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_14 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.14 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_15 - tags: - - level2-server - - level2- workstation - - patch - - auditd - - rule_4.1.3.15 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_16 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.16 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_17 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.17 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_18 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.18 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_19 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.19 - -# All changes selected are managed by the POST audit and handlers to update -- name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" - ansible.builtin.set_fact: - update_audit_template: true - when: - - rhel9cis_rule_4_1_3_20 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.3.20 - -- name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same" - ansible.builtin.debug: - msg: - - "Please run augenrules --load if you suspect there is a configuration that is not active" - when: - - rhel9cis_rule_4_1_3_21 - tags: - - level2-server - - level2-workstation - - manual - - patch - - auditd - - rule_4.1.3.21 - -- name: Auditd | 4.1.3 | Auditd controls updated - ansible.builtin.debug: - msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules" - changed_when: false - when: - - update_audit_template diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml deleted file mode 100644 index c42f876..0000000 --- a/tasks/section_4/cis_4.1.4.x.yml +++ /dev/null @@ -1,183 +0,0 @@ ---- - -- name: | - "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" - "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" - "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" - - block: - - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file" - ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' - changed_when: false - register: audit_discovered_logfile - - - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file" - ansible.builtin.stat: - path: "{{ audit_discovered_logfile.stdout }}" - changed_when: false - register: auditd_logfile - - - name: | - "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" - "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" - "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" - ansible.builtin.file: - path: "{{ audit_discovered_logfile.stdout }}" - mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}" - owner: root - group: root - when: - - rhel9cis_rule_4_1_4_1 or - rhel9cis_rule_4_1_4_2 or - rhel9cis_rule_4_1_4_3 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.4.1 - - rule_4.1.4.2 - - rule_4.1.4.3 - -- name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive" - block: - - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" - ansible.builtin.stat: - path: "{{ audit_discovered_logfile.stdout | dirname }}" - register: auditlog_dir - - - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" - ansible.builtin.file: - path: "{{ audit_discovered_logfile.stdout | dirname }}" - state: directory - mode: '0750' - when: not auditlog_dir.stat.mode is match('07(0|5)0') - when: - - rhel9cis_rule_4_1_4_4 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.4.4 - -- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" - ansible.builtin.file: - path: "{{ item.path }}" - mode: "{{ '0600' if item.mode == '0600' else '0640' }}" - loop: "{{ auditd_conf_files.files }}" - loop_control: - label: "{{ item.path }}" - when: - - rhel9cis_rule_4_1_4_5 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.4.5 - -- name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root" - ansible.builtin.file: - path: "{{ item.path }}" - owner: root - loop: "{{ auditd_conf_files.files | default([]) }}" - loop_control: - label: "{{ item.path }}" - when: - - rhel9cis_rule_4_1_4_6 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.4.6 - -- name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root" - ansible.builtin.file: - path: "{{ item.path }}" - group: root - loop: "{{ auditd_conf_files.files | default([]) }}" - loop_control: - label: "{{ item.path }}" - when: - - rhel9cis_rule_4_1_4_7 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.4.7 - -- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" - block: - - name: "4.1.4.8 | AUDIT | Get audit binary file stat | get current mode" - ansible.builtin.stat: - path: "{{ item }}" - register: "audit_bins" - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - - - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" - ansible.builtin.file: - path: "{{ item.item }}" - mode: '0750' - - loop: "{{ audit_bins.results }}" - loop_control: - label: "{{ item.item }}" - when: not item.stat.mode is match('07(0|5)0') - when: - - rhel9cis_rule_4_1_4_8 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.4.8 - -- name: "4.1.4.9 | PATCH | Ensure audit tools are owned by root" - ansible.builtin.file: - path: "{{ item }}" - owner: root - group: root - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - when: - - rhel9cis_rule_4_1_4_9 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.4.9 - -- name: "4.1.4.10 | PATCH | Ensure audit tools belong to group root" - ansible.builtin.file: - path: "{{ item }}" - group: root - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - when: - - rhel9cis_rule_4_1_4_10 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.4.10 diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml new file mode 100644 index 0000000..f0a6636 --- /dev/null +++ b/tasks/section_4/cis_4.1.x.yml @@ -0,0 +1,59 @@ +--- + +- name: "4.1.1 | PATCH | Ensure nftables is installed" + when: + - rhel9cis_rule_4_1_1 + - rhel9cis_firewall == 'nftables' + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_4.1.1 + - NIST800-53R5_CA-9 + ansible.builtin.package: + name: + - nftables + state: present + +- name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use" + when: + - rhel9cis_rule_4_1_2 + tags: + - level1-server + - level1-workstation + - patch + - firewalld + - nftables + - rule_4.1.2 + block: + - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | nftables" + when: + - item in ansible_facts.packages + - rhel9cis_firewall == 'nftables' + ansible.builtin.systemd: + name: "{{ item }}" + masked: true + loop: + - firewalld + + - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | firewalld" + when: + - item in ansible_facts.packages + - rhel9cis_firewall == 'firewalld' + ansible.builtin.systemd: + name: "{{ item }}" + masked: true + loop: + - nftables + + - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | package installed" + ansible.builtin.package: + name: "{{ rhel9cis_firewall }}" + state: installed + + - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" + ansible.builtin.systemd: + name: "{{ rhel9cis_firewall }}" + enabled: true + state: started diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml deleted file mode 100644 index 740f820..0000000 --- a/tasks/section_4/cis_4.2.1.x.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- - -- name: "4.2.1.1 | PATCH | Ensure rsyslog installed" - ansible.builtin.package: - name: rsyslog - state: present - when: - - "'rsyslog' not in ansible_facts.packages" - - rhel9cis_rule_4_2_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rsyslog - - rule_4.2.1.1 - -- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" - ansible.builtin.systemd: - name: rsyslog - enabled: true - when: - - rhel9cis_rule_4_2_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rsyslog - - rule_4.2.1.2 - -- name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" - line: ForwardToSyslog=yes - notify: Restart rsyslog - when: - - rhel9cis_rule_4_2_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.1.3 - -- name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - regexp: '^\$FileCreateMode' - line: '$FileCreateMode 0640' - notify: Restart rsyslog - when: - - rhel9cis_rule_4_2_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rsyslog - - rule_4.2.1.4 - -- name: "4.2.1.5 | PATCH | Ensure logging is configured" - block: - - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - ansible.builtin.shell: cat /etc/rsyslog.conf | grep -Ev "^#|^$" - changed_when: false - failed_when: false - check_mode: false - register: rhel_09_4_2_1_5_audit - - - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - ansible.builtin.debug: - msg: - - "These are the current logging configurations for rsyslog, please review:" - - "{{ rhel_09_4_2_1_5_audit.stdout_lines }}" - - - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" - ansible.builtin.blockinfile: - path: /etc/rsyslog.conf - marker: "# {mark} MAIL LOG SETTINGS - CIS benchmark - Ansible-lockdown" - block: | - # mail logging additions to meet CIS standards - mail.* -/var/log/mail - mail.info -/var/log/mail.info - mail.warning -/var/log/mail.warning - mail.err /var/log/mail.err - insertafter: '# Log all the mail messages in one place.' - notify: Restart rsyslog - when: rhel9cis_rsyslog_ansiblemanaged - - - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting" - ansible.builtin.blockinfile: - path: /etc/rsyslog.conf - state: present - marker: "# {mark} NEWS LOG SETTINGS - CIS benchmark - Ansible-lockdown" - block: | - # news logging additions to meet CIS standards - news.crit -/var/log/news/news.crit - news.notice -/var/log/news/news.crit - insertafter: '# Save news errors of level crit and higher in a special file.' - notify: Restart rsyslog - when: rhel9cis_rsyslog_ansiblemanaged - - - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting" - ansible.builtin.blockinfile: - path: /etc/rsyslog.conf - state: present - marker: "# {mark} MISC. LOG SETTINGS - CIS benchmark - Ansible-lockdown" - block: | - # misc. logging additions to meet CIS standards - *.=warning;*.=err -/var/log/warn - *.crit /var/log/warn - *.*;mail.none;news.none /var/log/messages - insertafter: '#### RULES ####' - notify: Restart rsyslog - when: rhel9cis_rsyslog_ansiblemanaged - - - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings" - ansible.builtin.blockinfile: - path: /etc/rsyslog.conf - state: present - marker: "#{mark} LOCAL LOG SETTINGS - CIS benchmark - Ansible-lockdown" - block: | - # local log settings to meet CIS standards - local0,local1.* -/var/log/localmessages - local2,local3.* -/var/log/localmessages - local4,local5.* -/var/log/localmessages - local6,local7.* -/var/log/localmessages - *.emrg :omusrmsg:* - insertafter: '#### RULES ####' - notify: Restart rsyslog - - - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings" - ansible.builtin.blockinfile: - path: /etc/rsyslog.conf - state: present - marker: "#{mark} Auth SETTINGS - CIS benchmark - Ansible-lockdown" - block: | - # Private settings to meet CIS standards - auth,authpriv.* /var/log/secure - insertafter: '#### RULES ####' - notify: Restart rsyslog - - - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings" - ansible.builtin.blockinfile: - path: /etc/rsyslog.conf - state: present - marker: "#{mark} Cron SETTINGS - CIS benchmark - Ansible-lockdown" - block: | - # Cron settings to meet CIS standards - cron.* /var/log/cron - insertafter: '#### RULES ####' - notify: Restart rsyslog - when: - - rhel9cis_rule_4_2_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rsyslog - - rule_4.2.1.5 - -- name: "4.2.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" - ansible.builtin.blockinfile: - path: /etc/rsyslog.conf - state: present - block: | - # target can be IP or FQDN - *.* action(type="omfwd" target="{{ rhel9cis_remote_log_host }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}") - insertafter: EOF - register: result - failed_when: - - result is failed - - result.rc != 257 - notify: Restart rsyslog - when: - - rhel9cis_rule_4_2_1_6 - - rhel9cis_remote_log_server - tags: - - level1-server - - level1-workstation - - patch - - rsyslog - - rule_4.2.1.6 - -- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" - block: - - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host" - ansible.builtin.replace: - path: /etc/rsyslog.conf - regexp: '{{ item }}' - replace: '#\1' - notify: Restart rsyslog - loop: - - '^(\$ModLoad imtcp)' - - '^(\$InputTCPServerRun)' - - '^(module\(load="imtcp"\))' - - '^(input\(type="imtcp")' - when: not rhel9cis_system_is_log_server - - - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" - ansible.builtin.replace: - path: /etc/rsyslog.conf - regexp: '^#(.*{{ item }}.*)' - replace: '\1' - notify: Restart rsyslog - loop: - - 'ModLoad imtcp' - - 'InputTCPServerRun' - when: rhel9cis_system_is_log_server - when: - - rhel9cis_rule_4_2_1_7 - tags: - - level1-server - - level1-workstation - - patch - - rsyslog - - rule_4.2.1.7 diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml deleted file mode 100644 index cf4b011..0000000 --- a/tasks/section_4/cis_4.2.2.x.yml +++ /dev/null @@ -1,200 +0,0 @@ ---- - -- name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" - ansible.builtin.package: - name: systemd-journal-remote - state: present - when: - - rhel9cis_rule_4_2_2_1_1 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.2.1.1 - -- name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured" - ansible.builtin.lineinfile: - path: /etc/systemd/journal-upload.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: Restart journald - loop: - - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} - - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} - - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'} - - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'} - when: - - rhel9cis_rule_4_2_2_1_2 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.2.1.2 - -- name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled" - ansible.builtin.systemd: - name: systemd-journal-upload - state: started - enabled: true - when: - - rhel9cis_system_is_log_server - - rhel9cis_rule_4_2_2_1_3 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.2.1.3 - -- name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" - ansible.builtin.systemd: - name: systemd-journal-remote.socket - state: stopped - enabled: false - masked: true - when: - - not rhel9cis_system_is_log_server - - rhel9cis_rule_4_2_2_1_4 - tags: - - level1-server - - level1-workstation - - patch - - journald - - rule_4.2.2.1.4 - -- name: "4.2.2.2 | PATCH | Ensure journald service is enabled" - block: - - name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service" - ansible.builtin.systemd: - name: systemd-journald - state: started - enabled: true - - - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" - ansible.builtin.shell: systemctl is-enabled systemd-journald.service - changed_when: false - failed_when: false - register: rhel9cis_4_2_2_2_status - - - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" - ansible.builtin.debug: - msg: - - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" - when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - - - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - vars: - warn_control_id: '4.2.2.2' - when: - - rhel9cis_rule_4_2_2_2 - tags: - - level1-server - - level1-workstation - - audit - - journald - - rule_4.2.2.2 - -- name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: "^#Compress=|^Compress=" - line: Compress=yes - notify: Restart journald - when: - - rhel9cis_rule_4_2_2_3 - tags: - - level1-server - - level1-workstation - - patch - - journald - - rule_4.2.2.3 - -- name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: "^#Storage=|^Storage=" - line: Storage=persistent - notify: Restart journald - when: - - rhel9cis_rule_4_2_2_4 - tags: - - level1-server - - level1-workstation - - patch - - journald - - rule_4.2.2.4 - -# This is counter to control 4.2.1.3?? -- name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: "^ForwardToSyslog=" - line: "#ForwardToSyslog=yes" - notify: Restart journald - when: - - rhel9cis_rule_4_2_2_5 - tags: - - level1-server - - level2-workstation - - manual - - patch - - journald - - rule_4.2.2.5 - -- name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: Restart journald - loop: - - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} - - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } - - { regexp: '^#RuntimeMaxUse=|^RuntimeMaxUse=', line: 'RuntimeMaxUse={{ rhel9cis_journald_runtimemaxuse }}'} - - { regexp: '^#RuntimeKeepFree=|^RuntimeKeepFree=', line: 'RuntimeKeepFree={{ rhel9cis_journald_runtimekeepfree }}'} - - { regexp: '^#MaxFileSec=|^MaxFileSec=', line: 'MaxFileSec={{ rhel9cis_journald_maxfilesec }}'} - when: - - rhel9cis_rule_4_2_2_6 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.2.6 - -- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured" - block: - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" - ansible.builtin.stat: - path: /etc/tmpfiles.d/systemd.conf - register: rhel9cis_4_2_2_7_override - - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Set live file" - ansible.builtin.set_fact: - systemd_conf_file: /etc/tmpfiles.d/systemd.conf - when: rhel9cis_4_2_2_7_override.stat.exists - - - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission" - ansible.builtin.lineinfile: - path: "{{ systemd_conf_file | default('/usr/lib/tmpfiles.d/systemd.conf') }}" - regexp: '^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root' - line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' - - when: - - rhel9cis_rule_4_2_2_7 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.2.7 diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml deleted file mode 100644 index 823975a..0000000 --- a/tasks/section_4/cis_4.2.3.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- - -- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" - block: - - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" - ansible.builtin.find: - paths: "/var/log" - file_type: file - recurse: true - hidden: true - register: logfiles - - - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" - ansible.builtin.file: - path: "{{ item.path }}" - mode: "{{ '0600' if item.mode == '0600' else '0640' }}" - loop: "{{ logfiles.files }}" - loop_control: - label: "{{ item.path }}" - when: - - item.path != "/var/log/btmp" - - item.path != "/var/log/utmp" - - item.path != "/var/log/wtmp" - when: - - rhel9cis_rule_4_2_3 - tags: - - level1-server - - level1-workstation - - patch - - logfiles - - rule_4.2.3 diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml new file mode 100644 index 0000000..01fd1eb --- /dev/null +++ b/tasks/section_4/cis_4.2.x.yml @@ -0,0 +1,45 @@ +--- + +- name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports" + when: + - rhel9cis_rule_4_2_1 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_4.2.1 + - NIST800-55_CA-9 + block: + - name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" + ansible.builtin.shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_4_2_5_servicesport + + - name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" + ansible.builtin.debug: + msg: + - "The items below are the services and ports that are accepted, please correct as needed" + - "{{ rhel9cis_4_2_5_servicesport.stdout_lines }}" + +- name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld" + when: + - rhel9cis_rule_4_2_2 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_4.2.2 + - NIST800-55_CA-9 + ansible.posix.firewalld: + rich_rule: "{{ item }}" + zone: "{{ rhel9cis_default_zone }}" + permanent: true + immediate: true + state: enabled + loop: + - rule family="ipv4" source address="127.0.0.1" destination not address="127.0.0.1" drop + - rule family="ipv6" source address="::1" destination not address="::1" drop diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml new file mode 100644 index 0000000..09e8979 --- /dev/null +++ b/tasks/section_4/cis_4.3.x.yml @@ -0,0 +1,189 @@ +--- + +- name: "4.3.1 | PATCH | Ensure nftables base chains exist" + when: + - rhel9cis_rule_4_3_1 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_4.3.1 + - NIST800-55_CA-9 + block: + - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" + ansible.builtin.shell: nft list ruleset | grep 'hook input' + changed_when: false + failed_when: false + register: rhel9cis_4_3_1_input_chains + + - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" + ansible.builtin.shell: nft list ruleset | grep 'hook forward' + changed_when: false + failed_when: false + register: rhel9cis_4_3_1_forward_chains + + - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" + ansible.builtin.shell: nft list ruleset | grep 'hook output' + changed_when: false + failed_when: false + register: rhel9cis_4_3_1_output_chains + + - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Display chains for review" + when: not rhel9cis_nft_tables_autochaincreate + ansible.builtin.debug: + msg: + - "Below are the current INPUT chains" + - "{{ rhel9cis_4_3_1_input_chains.stdout_lines }}" + - "Below are the current FORWARD chains" + - "{{ rhel9cis_4_3_1_forward_chains.stdout_lines }}" + - "Below are teh current OUTPUT chains" + - "{{ rhel9cis_4_3_1_output_chains.stdout_lines }}" + + - name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed" + when: rhel9cis_nft_tables_autochaincreate + ansible.builtin.shell: "{{ item }}" + failed_when: false + loop: + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } + +- name: "4.3.2 | PATCH | Ensure nftables established connections are configured" + when: + - rhel9cis_rule_4_3_2 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_4.3.2 + - NIST800-55_CA-9 + block: + - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather incoming connection rules" + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel9cis_4_3_2_inconnectionrule + + - name: "4.3.2| AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" + ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel9cis_4_3_2_outconnectionrule + + - name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" + when: '"ip protocol tcp ct state established accept" not in rhel9cis_4_3_2_inconnectionrule.stdout' + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + + - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" + when: '"ip protocol udp ct state established accept" not in rhel9cis_4_3_2_inconnectionrule.stdout' + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + + - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" + when: '"ip protocol icmp ct state established accept" not in rhel9cis_4_3_2_inconnectionrule.stdout' + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + + - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" + when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_4_3_2_outconnectionrule.stdout' + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + + - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" + when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_4_3_2_outconnectionrule.stdout' + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + + - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" + when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_4_3_2_outconnectionrule.stdout' + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + +- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy" + when: + - rhel9cis_rule_4_3_3 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_4.3.3 + - NIST800-55_CA-9 + block: + - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" + ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' + failed_when: false + changed_when: false + register: rhel9cis_4_3_3_inputpolicy + + - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" + ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' + failed_when: false + changed_when: false + register: rhel9cis_4_3_3_forwardpolicy + + - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" + ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' + failed_when: false + changed_when: false + register: rhel9cis_4_3_3_outputpolicy + + - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" + ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' + failed_when: false + changed_when: false + register: rhel9cis_4_3_3_sshallowcheck + + - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" + when: '"tcp dport ssh accept" not in rhel9cis_4_3_3_sshallowcheck.stdout' + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + + - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" + when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_4_3_3_inputpolicy.stdout' + ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + + - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" + when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_4_3_3_forwardpolicy.stdout' + ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + + - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" + when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_4_3_3_outputpolicy.stdout' + ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + +- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured" + when: + - rhel9cis_rule_4_3_4 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_4.3.4 + - NIST800-55_CA-9 + block: + - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence | nftables" + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + changed_when: false + failed_when: false + register: rhel9cis_4_3_4_iiflo + + - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence | nftables" + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + changed_when: false + failed_when: false + register: rhel9cis_4_3_4_ipsaddr + + - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence | nftables" + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + changed_when: false + failed_when: false + register: rhel9cis_4_3_4_ip6saddr + + - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables" + when: '"iif \"lo\" accept" not in rhel9cis_4_3_4_iiflo.stdout' + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + + - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables" + when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_4_3_4_ipsaddr.stdout' + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + + - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables" + when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_4_3_4_ip6saddr.stdout' + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml deleted file mode 100644 index 7da565e..0000000 --- a/tasks/section_4/cis_4.3.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- - -- name: "4.3 | PATCH | Ensure logrotate is configured" - block: - - name: "4.3 | PATCH | Ensure logrotate is configured | installed" - ansible.builtin.package: - name: rsyslog-logrotate - state: present - - - name: "4.3 | PATCH | Ensure logrotate is configured | scheduled" - ansible.builtin.systemd: - name: logrotate.timer - state: started - enabled: true - - - name: "4.3 | PATCH | Ensure logrotate is configured | set default conf" - ansible.builtin.replace: - path: "/etc/logrotate.conf" - regexp: '^(\s*)(daily|weekly|monthly|yearly)$' - replace: "\\1{{ rhel9cis_logrotate }}" - - - name: "4.3 | AUDIT | Ensure logrotate is configured | Get non default logrotate settings" - ansible.builtin.find: - paths: /etc/logrotate.d/ - contains: '^(\s*)(?!{{ rhel9cis_logrotate }})(daily|weekly|monthly|yearly)$' - register: log_rotates - - - name: "4.3 | AUDIT | Ensure logrotate is configured" - block: - - name: "4.3 | AUDIT | Ensure logrotate is configured | generate file list" - ansible.builtin.set_fact: - logrotate_non_def_conf: "{{ log_rotates.files | map(attribute='path') | join (', ') }}" - - - name: "4.3 | AUDIT | Ensure logrotate is configured | List configured files" - ansible.builtin.debug: - msg: | - "Warning!! The following files are not covered by default logrotate settings ensure they match site policy" - "{{ logrotate_non_def_conf }}" - loop: "{{ log_rotates.files }}" - - - name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '4.3' - when: log_rotates.matched > 0 - - when: - - rhel9cis_rule_4_3 - tags: - - level1-server - - level1-workstation - - manual - - patch - - logrotate - - rule_4.3 diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index d3b6b8d..5acc222 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,37 +1,15 @@ --- -- name: "SECTION | 4.1 | Configure System Accounting (auditd)" +- name: "SECTION | 4.1.x | Configure a firewall" ansible.builtin.import_tasks: - file: cis_4.1.1.x.yml - when: - - not system_is_container + file: cis_4.1.x.yml -- name: "SECTION | 4.1.2 | Configure Data Retention" +- name: "SECTION | 4.2.x | Configure FirewallD" + when: rhel9cis_firewall == "firewalld" ansible.builtin.import_tasks: - file: cis_4.1.2.x.yml + file: cis_4.2.x.yml -- name: "SECTION | 4.1.3 | Configure Auditd rules" +- name: "SECTION | 4.3.x | Configure nftables" + when: rhel9cis_firewall == "nftables" ansible.builtin.import_tasks: - file: cis_4.1.3.x.yml - -- name: "SECTION | 4.1.4 | Configure Audit files" - ansible.builtin.import_tasks: - file: cis_4.1.4.x.yml - -- name: "SECTION | 4.2.1 | Configure rsyslog" - ansible.builtin.import_tasks: - file: cis_4.2.1.x.yml - when: rhel9cis_syslog == 'rsyslog' - -- name: "SECTION | 4.2.2 | Configure journald" - ansible.builtin.import_tasks: - file: cis_4.2.2.x.yml - when: rhel9cis_syslog == 'journald' - -- name: "SECTION | 4.2.3 | Configure logile perms" - ansible.builtin.import_tasks: - file: cis_4.2.3.yml - -- name: "SECTION | 4.3 | Configure logrotate" - ansible.builtin.import_tasks: - file: cis_4.3.yml + file: cis_4.3.x.yml