forked from ansible-lockdown/RHEL9-CIS
compliant with 2.19
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
278813694b
commit
afcfda9ef0
1 changed files with 14 additions and 84 deletions
|
|
@ -10,12 +10,7 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if rhel9cis_rule_6_3_3_2 %}
|
{% if rhel9cis_rule_6_3_3_2 %}
|
||||||
{% set syscalls = ["execve"] %}
|
{% set syscalls = ["execve"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{%- for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append(syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor -%}
|
|
||||||
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
|
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
|
||||||
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
|
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
@ -24,33 +19,18 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if rhel9cis_rule_6_3_3_4 %}
|
{% if rhel9cis_rule_6_3_3_4 %}
|
||||||
{% set syscalls = ["adjtimex","settimeofday"] %}
|
{% set syscalls = ["adjtimex","settimeofday"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append(syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
|
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
|
||||||
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
|
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
|
||||||
{% set syscalls = ["clock_settime"] %}
|
{% set syscalls = ["clock_settime"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append(syscall) }}
|
|
||||||
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
|
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
|
||||||
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
|
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-w /etc/localtime -p wa -k time-change
|
-w /etc/localtime -p wa -k time-change
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if rhel9cis_rule_6_3_3_5 %}
|
{% if rhel9cis_rule_6_3_3_5 %}
|
||||||
{% set syscalls = ["sethostname","setdomainname"] %}
|
{% set syscalls = ["sethostname","setdomainname"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append(syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
|
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
|
||||||
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
|
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
|
||||||
-w /etc/issue -p wa -k system-locale
|
-w /etc/issue -p wa -k system-locale
|
||||||
|
|
@ -68,12 +48,7 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if rhel9cis_rule_6_3_3_7 %}
|
{% if rhel9cis_rule_6_3_3_7 %}
|
||||||
{% set syscalls = ["creat","open","openat","truncate","ftruncate"] %}
|
{% set syscalls = ["creat","open","openat","truncate","ftruncate"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append(syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
|
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
|
||||||
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
|
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
|
||||||
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
|
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
|
||||||
|
|
@ -91,62 +66,27 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if rhel9cis_rule_6_3_3_9 %}
|
{% if rhel9cis_rule_6_3_3_9 %}
|
||||||
{% set syscalls = ["chmod","fchmod","fchmodat"] %}
|
{% set syscalls = ["chmod","fchmod","fchmodat"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append(syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
|
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
|
||||||
{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
|
{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append(syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
|
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
|
||||||
{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
|
{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append(syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
|
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
|
||||||
{% set syscalls = ["chmod","fchmod","fchmodat"] %}
|
{% set syscalls = ["chmod","fchmod","fchmodat"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append(syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
|
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
|
||||||
{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
|
{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append(syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
|
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
|
||||||
{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
|
{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append(syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
|
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if rhel9cis_rule_6_3_3_10 %}
|
{% if rhel9cis_rule_6_3_3_10 %}
|
||||||
{% set syscalls = ["mount"] %}
|
{% set syscalls = ["mount"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append(syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
|
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
|
||||||
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
|
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
@ -161,12 +101,7 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if rhel9cis_rule_6_3_3_13 %}
|
{% if rhel9cis_rule_6_3_3_13 %}
|
||||||
{% set syscalls = ["unlink","unlinkat","rename","renameat"] %}
|
{% set syscalls = ["unlink","unlinkat","rename","renameat"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append( syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete
|
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete
|
||||||
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete
|
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
@ -189,12 +124,7 @@
|
||||||
{% if rhel9cis_rule_6_3_3_19 %}
|
{% if rhel9cis_rule_6_3_3_19 %}
|
||||||
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
|
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
|
||||||
{% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %}
|
{% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %}
|
||||||
{% set arch_syscalls = [] %}
|
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
|
||||||
{% for syscall in syscalls %}
|
|
||||||
{% if syscall in supported_syscalls %}
|
|
||||||
{{ arch_syscalls.append( syscall) }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
|
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if rhel9cis_rule_6_3_3_20 %}
|
{% if rhel9cis_rule_6_3_3_20 %}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue