From 2078657ceb9994de5142b7a6761edbb5a7733351 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Feb 2025 10:22:11 +0000 Subject: [PATCH 1/4] added fix for #293 thanks to @machikanta Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 3f6202b..1735ce8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1303,3 +1303,9 @@ rhel9cis_suid_sgid_adjust: false ## Control 7.1.11 - Ensure no world writable files exist # Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable. rhel9cis_no_world_write_adjust: true + + +## Control 7.2.9 +# This allows ansible to alter the dot files as per rule if found +# When set to true this will align with benchmark - can impact a running system if not tested sufficiently +rhel9cis_dotperm_ansiblemanaged: false From d6a560b2c8df1ce22fb111dac7186e92b76d51b7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Feb 2025 11:54:14 +0000 Subject: [PATCH 2/4] rsyslog_#294 thanks to @alopezgcp Signed-off-by: Mark Bolwell --- defaults/main.yml | 134 +++++++++++++--------- tasks/section_6/cis_6.2.3.x.yml | 4 +- tasks/section_6/main.yml | 1 + templates/etc/logrotate.d/rsyslog.conf.j2 | 11 -- templates/etc/logrotate.d/rsyslog_log.j2 | 26 +++++ 5 files changed, 107 insertions(+), 69 deletions(-) delete mode 100644 templates/etc/logrotate.d/rsyslog.conf.j2 create mode 100644 templates/etc/logrotate.d/rsyslog_log.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 1735ce8..546e0e7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1100,14 +1100,68 @@ rhel9cis_aide_cron: # ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging -## Control 6.2.3 | Configure rsyslog -## Control 6.2.1 | Configure journald -# This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation) -# or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best +## Controls 6.2.1.x | Configure systemd-journald service +## Controls 6.2.2.x | Configured journald +## Controls 6.2.3.x | Configure rsyslog + +# This variable governs which logging service should be used, choosing between 'rsyslog' +# or 'journald'(CIS recommendation) will trigger the execution of the associated subsection, as the-best # practices are written wholly independent of each other. rhel9cis_syslog: journald -## Control 6.2.2.x & 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client +## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy +# Current variable configures the max amount of disk space the logs will use(thus, journal files +# will not grow without bounds) +# The variables below related to journald, please set these to your site specific values +# These variable specifies how much disk space the journal may use up at most +# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. +# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. +rhel9cis_journald_systemmaxuse: 10M +## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy +# Current variable configures the amount of disk space to keep free for other uses. +rhel9cis_journald_systemkeepfree: 100G +## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy +# This variable configures how much disk space the journal may use up at most. +# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space. +rhel9cis_journald_runtimemaxuse: 10M +## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy +# This variable configures the actual amount of disk space to keep free +# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space. +rhel9cis_journald_runtimekeepfree: 100G +## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy +# Current variable governs the settings for log retention(how long the log files will be kept). +# Thus, it specifies the maximum time to store entries in a single journal +# file before rotating to the next one. Set to 0 to turn off this feature. +# The given values is interpreted as seconds, unless suffixed with the units +# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. +# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# ATTENTION: Uncomment the keyword below when values are set! +rhel9cis_journald_maxfilesec: 1month + +## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured +# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to +# URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port +# number may be specified after a colon (":"), otherwise 19532 will be used by default. +rhel9cis_journal_upload_url: 192.168.50.42 +## The paths below have the default paths/files, but allow user to create custom paths/filenames + +## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured +# This variable specifies the path to the private key file used by the remote journal +# server to authenticate itself to the client. This key is used alongside the server's +# public certificate to establish secure communication. +rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured +# This variable specifies the path to the public certificate file of the remote journal +# server. This certificate is used to verify the authenticity of the remote server. +rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured +# This variable specifies the path to a file containing one or more public certificates +# of certificate authorities (CAs) that the client trusts. These trusted certificates are used +# to validate the authenticity of the remote server's certificate. +rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" +# ATTENTION: Uncomment the keyword below when values are set! + +# Control 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client # This variable expresses whether the system is used as a log server or not. If set to: # - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts. # - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity @@ -1155,57 +1209,25 @@ rhel9cis_remote_log_retrycount: 100 # of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_queuesize: 1000 -## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured -# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to -# URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port -# number may be specified after a colon (":"), otherwise 19532 will be used by default. -rhel9cis_journal_upload_url: 192.168.50.42 -## The paths below have the default paths/files, but allow user to create custom paths/filenames - -## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured -# This variable specifies the path to the private key file used by the remote journal -# server to authenticate itself to the client. This key is used alongside the server's -# public certificate to establish secure communication. -rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" -## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured -# This variable specifies the path to the public certificate file of the remote journal -# server. This certificate is used to verify the authenticity of the remote server. -rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" -## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured -# This variable specifies the path to a file containing one or more public certificates -# of certificate authorities (CAs) that the client trusts. These trusted certificates are used -# to validate the authenticity of the remote server's certificate. -rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" -# ATTENTION: Uncomment the keyword below when values are set! - -## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy -# Current variable configures the max amount of disk space the logs will use(thus, journal files -# will not grow without bounds) -# The variables below related to journald, please set these to your site specific values -# These variable specifies how much disk space the journal may use up at most -# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. -# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. -rhel9cis_journald_systemmaxuse: 10M -## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy -# Current variable configures the amount of disk space to keep free for other uses. -rhel9cis_journald_systemkeepfree: 100G -## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy -# This variable configures how much disk space the journal may use up at most. -# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space. -rhel9cis_journald_runtimemaxuse: 10M -## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy -# This variable configures the actual amount of disk space to keep free -# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space. -rhel9cis_journald_runtimekeepfree: 100G -## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy -# Current variable governs the settings for log retention(how long the log files will be kept). -# Thus, it specifies the maximum time to store entries in a single journal -# file before rotating to the next one. Set to 0 to turn off this feature. -# The given values is interpreted as seconds, unless suffixed with the units -# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. -# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks -# ATTENTION: Uncomment the keyword below when values are set! -rhel9cis_journald_maxfilesec: 1month +## Control 6.2.3.8 rsyslog rotate +# This variable configures whether to set your own rsyslog logrotate setting alternate to logrotate default settings +#Please refer to logrotate options to match your site requirements +# This sets when to rotate +rhel9cis_rsyslog_logrotate_rotated_when: weekly +# This sets how many rotations of the file to keep +rhel9cis_rsyslog_logrotate_rotatation_keep: 4 +# This defines whether to set various options or not +# these are taken from logrotate options +# Setting +# true will carry out the setting. +# false will either set no/not or not add the option +rhel9cis_rsyslog_logrotate_compress: true +rhel9cis_rsyslog_logrotate_missingok: true +rhel9cis_rsyslog_logrotate_notifempty: true +rhel9cis_rsyslog_logrotate_create: true +# Extra options that can be added according to rsyslog documentation +# Uncomment and add the required options e.g. mode owner group +#rhel9cis_rsyslog_logrotate_create_opts: ## Control 6.3.2.1 - Ensure audit_backlog_limit is sufficient # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 9333697..9d26acf 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -256,8 +256,8 @@ - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf" ansible.builtin.template: - src: etc/logrotate.d/rsyslog.conf.j2 - dest: /etc/logrotate.d/rsyslog.conf + src: etc/logrotate.d/rsyslog_log.j2 + dest: /etc/logrotate.d/rsyslog_log owner: root group: root mode: 'g-wx,o-rwx' diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index a1909dc..dda7ee5 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -5,6 +5,7 @@ file: cis_6.1.x.yml - name: "SECTION | 6.2.1 | Configure systemd-journald service" + when: rhel9cis_syslog == 'journald' ansible.builtin.import_tasks: file: cis_6.2.1.x.yml diff --git a/templates/etc/logrotate.d/rsyslog.conf.j2 b/templates/etc/logrotate.d/rsyslog.conf.j2 deleted file mode 100644 index 2423b24..0000000 --- a/templates/etc/logrotate.d/rsyslog.conf.j2 +++ /dev/null @@ -1,11 +0,0 @@ -/var/log/rsyslog/*.log { - {{ rhel9cis_rsyslog_logrotate_rotated }} - rotate {{ rhel9cis_rsyslog_logrotate_keep }} - {% if rhel9cis_rsyslog_logrotate_compress %}compress{% else %}nocompress{% endif %} - {% if rhel9cis_rsyslog_logrotate_missingok %}missingok{% else %}missingok{% endif %} - {% if rhel9cis_rsyslog_logrotate_notifempty %}notifempty{% else %}ifempty{% endif %} - {% if rhel9cis_rsyslog_logrotate_create %}create {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %} - postrotate - /usr/bin/systemctl reload rsyslog.service >/dev/null || true - endscript -} diff --git a/templates/etc/logrotate.d/rsyslog_log.j2 b/templates/etc/logrotate.d/rsyslog_log.j2 new file mode 100644 index 0000000..8acb53e --- /dev/null +++ b/templates/etc/logrotate.d/rsyslog_log.j2 @@ -0,0 +1,26 @@ +/var/log/rsyslog/*.log { + {{ rhel9cis_rsyslog_logrotate_rotated_when }} + rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }} +{% if rhel9cis_rsyslog_logrotate_compress %} + compress +{% else %} + nocompress +{% endif %} +{% if rhel9cis_rsyslog_logrotate_missingok %} + missingok +{% else %} + nomissingok +{% endif %} +{% if rhel9cis_rsyslog_logrotate_notifempty %} + notifempty +{% else %} + ifempty +{% endif %} +{% if rhel9cis_rsyslog_logrotate_create %} + create{% if rhel9cis_rsyslog_logrotate_create_opts is defined %} {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %} +{% endif %} + + postrotate + /usr/bin/systemctl reload rsyslog.service >/dev/null || true + endscript +} From 3441894ab4392a3619e68c6beb35cdce9bc69a81 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Feb 2025 11:55:59 +0000 Subject: [PATCH 3/4] Lint update Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 546e0e7..f5c38b1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1211,7 +1211,7 @@ rhel9cis_remote_log_queuesize: 1000 ## Control 6.2.3.8 rsyslog rotate # This variable configures whether to set your own rsyslog logrotate setting alternate to logrotate default settings -#Please refer to logrotate options to match your site requirements +# Please refer to logrotate options to match your site requirements # This sets when to rotate rhel9cis_rsyslog_logrotate_rotated_when: weekly # This sets how many rotations of the file to keep @@ -1227,7 +1227,7 @@ rhel9cis_rsyslog_logrotate_notifempty: true rhel9cis_rsyslog_logrotate_create: true # Extra options that can be added according to rsyslog documentation # Uncomment and add the required options e.g. mode owner group -#rhel9cis_rsyslog_logrotate_create_opts: +# rhel9cis_rsyslog_logrotate_create_opts: ## Control 6.3.2.1 - Ensure audit_backlog_limit is sufficient # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the @@ -1326,7 +1326,6 @@ rhel9cis_suid_sgid_adjust: false # Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable. rhel9cis_no_world_write_adjust: true - ## Control 7.2.9 # This allows ansible to alter the dot files as per rule if found # When set to true this will align with benchmark - can impact a running system if not tested sufficiently From eb77cdd36763e65a9dabf3c08238f4684b3fbe66 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Feb 2025 11:56:30 +0000 Subject: [PATCH 4/4] Added precommit exclusion Signed-off-by: Mark Bolwell --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index f67408e..de8046f 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,6 @@ benchparse/ # GitHub Action/Workflow files .github/ + +# Precommit exclusions +.ansible/