sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #8 from ansible-lockdown/v2_lint_updates

Browse source 
V2 lint updates
This commit is contained in:
uk-bolly 2024-11-05 08:02:26 +00:00 committed by GitHub
commit af003176e7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 93 additions and 95 deletions
Download patch file Download diff file Expand all files Collapse all files

4
handlers/main.yml
View file

@ -98,11 +98,11 @@
- name: Auditd immutable check
ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
register: auditd_immutable_check
register: discovered_auditd_immutable_check
- name: Audit immutable fact
when:
- auditd_immutable_check.stdout == '1'
- discovered_auditd_immutable_check.stdout == '1'
ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: Change_requires_reboot

14
tasks/auditd.yml
View file

@ -3,7 +3,7 @@
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
ansible.builtin.stat:
path: /etc/audit/rules.d/99_auditd.rules
register: rhel9cis_auditd_file
register: discovered_auditd_rules_file
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file
ansible.builtin.template:
@ -12,8 +12,8 @@
owner: root
group: root
mode: '0640'
diff: "{{ rhel9cis_auditd_file.stat.exists }}" # Only run diff if not a new file
register: rhel9cis_auditd_template_updated
diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file
register: discovered_auditd_rules_template_updated
notify:
- Auditd immutable check
- Audit immutable fact
@ -21,8 +21,8 @@
- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler
when:
- rhel9cis_auditd_template_updated.changed
- rhel9cis_auditd_file.stat.exists
- discovered_auditd_rules_template_updated.changed
- discovered_auditd_rules_file.stat.exists
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
@ -31,7 +31,7 @@
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
ansible.builtin.stat:
path: /etc/audit/rules.d/98_auditd_exceptions.rules
register: rhel9cis_auditd_exception_file
register: discovered_auditd_exception_file
- name: POST | Set up auditd user logging exceptions | setup file
when:
@ -43,5 +43,5 @@
owner: root
group: root
mode: '0640'
diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}"
diff: "{{ discovered_auditd_exception_file.stat.exists }}"
notify: Restart auditd

16
tasks/main.yml
View file

@ -86,29 +86,29 @@
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_ansible_user_password_set
register: prelim_ansible_user_password_set
- name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account"
when: rhel9cis_ansible_user_password_set.stdout == "not found"
when: prelim_ansible_user_password_set.stdout == "not found"
ansible.builtin.debug:
msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks."
- name: "Check local account"
when:
- rhel9cis_ansible_user_password_set.stdout != "not found"
- prelim_ansible_user_password_set.stdout != "not found"
block:
- name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"
ansible.builtin.assert:
that:
- rhel9cis_ansible_user_password_set.stdout | length != 0
- rhel9cis_ansible_user_password_set.stdout != "!!"
- prelim_ansible_user_password_set.stdout | length != 0
- prelim_ansible_user_password_set.stdout != "!!"
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"
ansible.builtin.assert:
that:
- not rhel9cis_ansible_user_password_set.stdout.startswith("!")
- not prelim_ansible_user_password_set.stdout.startswith("!")
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
@ -149,11 +149,11 @@
- name: "Ensure root password is set"
ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
changed_when: false
register: root_passwd_set
register: prelim_root_passwd_set
- name: "Ensure root password is set"
ansible.builtin.assert:
that: root_passwd_set.rc == 0
that: prelim_root_passwd_set.rc == 0
fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set"
success_msg: "You have a root password set"

1
tasks/post.yml
View file

@ -18,7 +18,6 @@
owner: root
group: root
mode: '0600'
register: sysctl_updated
notify: Reload sysctl
loop:
- 60-kernel_sysctl.conf

4
tasks/pre_remediation_audit.yml
View file

@ -60,11 +60,11 @@
- name: Pre Audit Setup | Check for goss file
ansible.builtin.stat:
path: "{{ audit_bin }}"
register: goss_available
register: discovered_goss_available
- name: Pre Audit Setup | If audit ensure goss is available
when:
- not goss_available.stat.exists
- not discovered_goss_available.stat.exists
ansible.builtin.assert:
msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"

12
tasks/prelim.yml
View file

@ -161,19 +161,19 @@
- name: "PRELIM | Discover Gnome Desktop Environment"
tags:
- always
- always
ansible.builtin.stat:
path: /usr/share/gnome/gnome-version.xml
path: /usr/share/gnome/gnome-version.xml
register: prelim_gnome_present
- name: "PRELIM | Install dconf if gui installed"
when:
- rhel9cis_gui
- rhel9cis_gui
tags:
- always
- always
ansible.builtin.package:
name: dconf
state: present
name: dconf
state: present
- name: "PRELIM | AUDIT | Wireless adapter pre-requisites"
when:

6
tasks/section_1/cis_1.1.2.3.x.yml
View file

@ -24,8 +24,8 @@
file: warning_facts.yml
- name: |
"1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition
1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition"
"1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition
1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition"
when:
- item.mount == "/home"
- rhel9cis_rule_1_1_2_3_2 or
@ -45,7 +45,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_2_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3_3 %}nosuid{% endif %}
opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_3_3) %},nosuid{% endif %}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"

22
tasks/section_1/cis_1.2.1.x.yml
View file

@ -18,19 +18,19 @@
ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
changed_when: false
failed_when: false
register: os_installed_pub_keys
register: discovered_os_installed_pub_keys
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys"
ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
changed_when: false
failed_when: false
register: os_gpg_key_check
when: os_installed_pub_keys.rc == 0
register: discovered_os_gpg_key_check
when: discovered_os_installed_pub_keys.rc == 0
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | expected keys fail"
when:
- os_installed_pub_keys.rc == 1 or
os_gpg_key_check.rc == 1
- discovered_os_installed_pub_keys.rc == 1 or
discovered_os_gpg_key_check.rc == 1
ansible.builtin.fail:
msg: Installed GPG Keys do not meet expected values or expected keys are not installed
@ -48,14 +48,14 @@
ansible.builtin.find:
paths: /etc/yum.repos.d
patterns: "*.repo"
register: yum_repos
register: discovered_yum_repos
- name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
ansible.builtin.replace:
name: "{{ item.path }}"
regexp: "^gpgcheck=0"
replace: "gpgcheck=1"
loop: "{{ yum_repos.files }}"
loop: "{{ discovered_yum_repos.files }}"
loop_control:
label: "{{ item.path }}"
@ -82,14 +82,14 @@
ansible.builtin.find:
paths: /etc/yum.repos.d
patterns: "*.repo"
register: repo_files
register: discovered_repo_files
- name: "1.2.1.3 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files"
ansible.builtin.replace:
path: "{{ item.path }}"
regexp: '^repo_gpgcheck( |)=( |)0'
replace: repo_gpgcheck=1
loop: "{{ repo_files.files }}"
loop: "{{ discovered_repo_files.files }}"
loop_control:
label: "{{ item.path }}"
@ -110,14 +110,14 @@
ansible.builtin.shell: dnf repolist
changed_when: false
failed_when: false
register: dnf_configured
register: discovered_dnf_configured
check_mode: false
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Display repo list"
ansible.builtin.debug:
msg:
- "Warning!! Below are the configured repos. Please review and make sure all align with site policy"
- "{{ dnf_configured.stdout_lines }}"
- "{{ discovered_dnf_configured.stdout_lines }}"
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Warn Count"
ansible.builtin.import_tasks:

9
tasks/section_1/cis_1.3.1.x.yml
View file

@ -34,7 +34,6 @@
loop:
- selinux=0
- enforcing=0
register: selinux_grub_patch
ignore_errors: true # noqa ignore-errors
notify: Grub2cfg
@ -108,17 +107,17 @@
block:
- name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services"
ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
register: rhelcis_1_3_1_6_unconf_services
register: discovered_unconf_services
failed_when: false
changed_when: false
- name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services"
when: rhelcis_1_3_1_6_unconf_services.stdout | length > 0
when: discovered_unconf_services.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! You have unconfined services: {{ rhelcis_1_3_1_6_unconf_services.stdout_lines }}"
msg: "Warning!! You have unconfined services: {{ discovered_unconf_services.stdout_lines }}"
- name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | warning count"
when: rhelcis_1_3_1_6_unconf_services.stdout | length > 0
when: discovered_unconf_services.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml

20
tasks/section_1/cis_1.6.x.yml
View file

@ -55,12 +55,12 @@
owner: root
group: root
mode: '0640'
register: no_sha1_template
register: discovered_no_sha1_template
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SHA1' }}"
changed_when: no_sha1_template is defined
changed_when: discovered_no_sha1_template is changed # noqa: no-handler
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -86,12 +86,12 @@
owner: root
group: root
mode: '0640'
register: no_weakmac_template
register: discovered_no_weakmac_template
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-WEAKMAC' }}"
changed_when: no_weakmac_template is defined
changed_when: discovered_no_weakmac_template is changed # noqa: no-handler
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -116,12 +116,12 @@
owner: root
group: root
mode: '0640'
register: no_sshcbc_template
register: discovered_no_sshcbc_template
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHCBC' }}"
changed_when: no_sshcbc_template is defined
changed_when: discovered_no_sshcbc_template is changed # noqa: no-handler
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -146,12 +146,12 @@
owner: root
group: root
mode: '0640'
register: no_sshweakciphers_template
register: discovered_no_sshweakciphers_template
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}"
changed_when: no_sshweakciphers_template is defined
changed_when: discovered_no_sshweakciphers_template is changed # noqa: no-handler
notify:
- Update Crypto Policy
- Set Crypto Policy
@ -176,12 +176,12 @@
owner: root
group: root
mode: '0640'
register: no_sshetm_template
register: discovered_no_sshetm_template
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHETM' }}"
changed_when: no_sshetm_template is defined
changed_when: discovered_no_sshetm_template is changed # noqa: no-handler
notify:
- Update Crypto Policy
- Set Crypto Policy

6
tasks/section_5/cis_5.2.x.yml
View file

@ -89,16 +89,16 @@
become: true
changed_when: false
failed_when: false
register: rhel9cis_5_2_4_authenticate
register: discovered_priv_reauth
- name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
when: rhel9cis_5_2_4_authenticate.stdout | length > 0
when: discovered_priv_reauth.stdout | length > 0
ansible.builtin.replace:
path: "{{ item }}"
regexp: '^([^#].*)!authenticate(.*)'
replace: '\1authenticate\2'
validate: '/usr/sbin/visudo -cf %s'
loop: "{{ rhel9cis_5_2_4_authenticate.stdout_lines }}"
loop: "{{ discovered_priv_reauth.stdout_lines }}"
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
when:

4
tasks/section_5/cis_5.3.1.x.yml
View file

@ -32,10 +32,10 @@
ansible.builtin.package:
name: authselect
state: latest
register: rhel9cis_authselect_update
register: discovered_authselect_updated
- name: "5.3.1.2 | AUDIT | Ensure latest version of authselect is installed | Patch"
when: rhel9cis_authselect_update.changed # noqa no-handler
when: discovered_authselect_updated.changed # noqa no-handler
ansible.builtin.set_fact:
authselect_update: OK

8
tasks/section_5/cis_5.3.2.x.yml
View file

@ -136,11 +136,11 @@
ansible.builtin.shell: |
grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
changed_when: false
failed_when: rhel9cis_authselect_pam_unix.rc not in [ 0, 1 ]
register: rhel9cis_authselect_pam_unix
failed_when: discovered_discovered_authselect_pam_unix.rc not in [ 0, 1 ]
register: discovered_discovered_authselect_pam_unix
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth"
when: "'system-auth:password' not in rhel9cis_authselect_pam_unix.stdout"
when: "'system-auth:password' not in discovered_authselect_pam_unix.stdout"
ansible.builtin.lineinfile:
path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth
regexp: "{{ item.regexp }}"
@ -154,7 +154,7 @@
notify: Authselect update
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | password-auth"
when: "'password-auth:password' not in rhel9cis_authselect_pam_unix.stdout"
when: "'password-auth:password' not in discovered_authselect_pam_unix.stdout"
ansible.builtin.lineinfile:
path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth
line: "{{ item.line }}"

20
tasks/section_5/cis_5.3.3.3.x.yml
View file

@ -12,9 +12,9 @@
block:
- name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\h*password\s+[^#\n\r]+\h+pam_pwhistory\.so\s+([^#\n\r]+\s+)?remember=\d+\b' /etc/pam.d/password-auth /etc/pam.d/system-auth
register: rhel9_pwhistory_remember
changed_when: false
failed_when: rhel9_pwhistory_remember.rc not in [0, 1]
failed_when: discovered_pwhistory_remember.rc not in [0, 1]
register: discovered_pwhistory_remember
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file"
ansible.builtin.lineinfile:
@ -59,9 +59,9 @@
block:
- name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/{system,password}-auth
register: rhel9_pwhistory_enforce_for_root
register: discovered_pwhistory_enforce_for_root
changed_when: false
failed_when: rhel9_pwhistory_enforce_for_root.rc not in [0, 1]
failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1]
- name: "5.3.3.3.2 | PATCH| Ensure password history is enforced for the root user | Ensure enforce_for_root is set pwhistory file"
ansible.builtin.lineinfile:
@ -72,7 +72,7 @@
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
when:
- not rhel9cis_allow_authselect_updates
- rhel9_pwhistory_enforce_for_root.stdout | length == 0
- discovered_pwhistory_enforce_for_root.stdout | length == 0
- rhel9cis_disruption_high
ansible.builtin.lineinfile:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
@ -83,7 +83,7 @@
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
when:
- rhel9cis_allow_authselect_updates
- rhel9_pwhistory_enforce_for_root.stdout | length == 0
- discovered_pwhistory_enforce_for_root.stdout | length == 0
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
@ -106,9 +106,9 @@
block:
- name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth
register: rhel9_pwhistory_use_authtok
register: discovered_pwhistory_use_authtok
changed_when: false
failed_when: rhel9_pwhistory_use_authtok.rc not in [0, 1]
failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Update pwhistory for use_authtok"
ansible.builtin.lineinfile:
@ -119,7 +119,7 @@
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set"
when:
- not rhel9cis_allow_authselect_updates
- rhel9_pwhistory_use_authtok.stdout | length == 0
- discovered_pwhistory_use_authtok.stdout | length == 0
- rhel9cis_disruption_high
ansible.builtin.lineinfile:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
@ -130,7 +130,7 @@
- name: "PATCH | Ensure pam_pwhistory includes use_authtok | add authtok to pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9_pwhistory_use_authtok.stdout | length == 0
- discovered_pwhistory_use_authtok.stdout | length == 0
- rhel9cis_disruption_high
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"

4
tasks/section_6/cis_6.1.x.yml
View file

@ -16,10 +16,10 @@
ansible.builtin.package:
name: aide
state: present
register: aide_installed
register: discovered_aide_installed
- name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB"
when: aide_installed.changed # noqa: no-handler
when: discovered_aide_installed.changed # noqa: no-handler
block:
- name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB"
ansible.builtin.shell: /usr/sbin/aide --init

16
tasks/section_6/cis_6.2.1.x.yml
View file

@ -32,26 +32,26 @@
- name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file"
ansible.builtin.stat:
path: /etc/tmpfiles.d/systemd.conf
register: tmpfile_override
register: discovered_tmpfile_override
- name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal"
when: tmpfile_override.stat.exists
when: discovered_tmpfile_override.stat.exists
ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf
register: journald_fileperms_override
register: discovered_journald_fileperms_override
changed_when: false
failed_when: journald_fileperms_override.rc not in [ 0, 1 ]
failed_when: discovered_journald_fileperms_override.rc not in [ 0, 1 ]
- name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found"
when:
- tmpfile_override.stat.exists
- journald_fileperms_override.stdout | length > 0
- discovered_tmpfile_override.stat.exists
- discovered_journald_fileperms_override.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy"
- name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found"
when:
- tmpfile_override.stat.exists
- journald_fileperms_override.stdout | length > 0
- discovered_tmpfile_override.stat.exists
- discovered_journald_fileperms_override.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:

10
tasks/section_6/cis_6.2.3.x.yml
View file

@ -89,13 +89,13 @@
changed_when: false
failed_when: false
check_mode: false
register: rhel_09_6_2_3_5_audit
register: discovered_configured_rsyslog
- name: "6.2.3.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
ansible.builtin.debug:
msg:
- "These are the current logging configurations for rsyslog, please review:"
- "{{ rhel_09_4_2_1_5_audit.stdout_lines }}"
- "{{ discovered_configured_rsyslog.stdout_lines }}"
- name: "6.2.3.5 | PATCH | Ensure logging is configured | mail.* log setting"
when: rhel9cis_rsyslog_ansiblemanaged
@ -193,10 +193,10 @@
# target can be IP or FQDN
*.* action(type="omfwd" target="{{ rhel9cis_remote_log_host }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}")
insertafter: EOF
register: result
failed_when:
- result is failed
- result.rc != 257
- discovered_rsyslog_remote_host is failed
- discovered_rsyslog_remote_host.rc != 257
register: discovered_rsyslog_remote_host
notify: Restart rsyslog
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"

2
tasks/section_6/cis_6.3.3.x.yml
View file

@ -88,7 +88,7 @@
changed_when: false
failed_when: false
check_mode: false
register: priv_procs
register: discovered_priv_procs
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
ansible.builtin.set_fact:

8
tasks/section_7/cis_7.1.x.yml
View file

@ -187,18 +187,18 @@
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
failed_when: false
changed_when: false
register: rhel_09_7_1_11_perms_results
register: discovered_world_writable
- name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)"
when:
- rhel_09_7_1_11_perms_results.stdout_lines is defined
- rhel_09_7_1_11_perms_results.stdout_lines | length > 0
- discovered_world_writable.stdout_lines is defined
- discovered_world_writable.stdout_lines | length > 0
- rhel9cis_no_world_write_adjust
ansible.builtin.file:
path: '{{ item }}'
mode: o-w
state: touch
loop: "{{ rhel_09_7_1_11_perms_results.stdout_lines }}"
loop: "{{ discovered_world_writable.stdout_lines }}"
- name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit"
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t

2
templates/audit/99_auditd.rules.j2
View file

@ -30,7 +30,7 @@
-w /etc/sysconfig/network-scripts -p wa -k system-locale
{% endif %}
{% if rhel9cis_rule_6_3_3_6 %}
{% for proc in priv_procs.stdout_lines -%}
{% for proc in discovered_priv_procs.stdout_lines -%}
-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k privileged
{% endfor %}
{% endif %}