sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

linting fqcn

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-12 15:01:17 +00:00
parent 60d01a6582
commit c18151e158
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
7 changed files with 88 additions and 89 deletions
Download patch file Download diff file Expand all files Collapse all files

26
tasks/section_5/cis_5.1.x.yml
View file

@ -1,7 +1,7 @@
---
- name: "5.1.1 | PATCH | Ensure cron daemon is enabled"
service:
ansible.builtin.service:
name: crond
enabled: true
when:
@ -15,7 +15,7 @@
- rule_5.1.1
- name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
file:
ansible.builtin.file:
dest: /etc/crontab
owner: root
group: root
@ -31,7 +31,7 @@
- rule_5.1.2
- name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
file:
ansible.builtin.file:
dest: /etc/cron.hourly
state: directory
owner: root
@ -48,7 +48,7 @@
- rule_5.1.3
- name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
file:
ansible.builtin.file:
dest: /etc/cron.daily
state: directory
owner: root
@ -65,7 +65,7 @@
- rule_5.1.4
- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
file:
ansible.builtin.file:
dest: /etc/cron.weekly
state: directory
owner: root
@ -80,7 +80,7 @@
- rule_5.1.5
- name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
file:
ansible.builtin.file:
dest: /etc/cron.monthly
state: directory
owner: root
@ -96,7 +96,7 @@
- rule_5.1.6
- name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
file:
ansible.builtin.file:
dest: /etc/cron.d
state: directory
owner: root
@ -115,17 +115,17 @@
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users"
block:
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny"
file:
ansible.builtin.file:
dest: /etc/cron.deny
state: absent
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists"
stat:
ansible.builtin.stat:
path: "/etc/cron.allow"
register: rhel9cis_5_1_8_cron_allow_state
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
file:
ansible.builtin.file:
dest: /etc/cron.allow
state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}'
owner: root
@ -144,17 +144,17 @@
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users"
block:
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny"
file:
ansible.builtin.file:
dest: /etc/at.deny
state: absent
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists"
stat:
ansible.builtin.stat:
path: "/etc/at.allow"
register: rhel9cis_5_1_9_at_allow_state
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users"
file:
ansible.builtin.file:
dest: /etc/at.allow
state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}'
owner: root

54
tasks/section_5/cis_5.2.x.yml
View file

@ -1,7 +1,7 @@
---
- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured"
file:
ansible.builtin.file:
dest: /etc/ssh/sshd_config
state: file
owner: root
@ -21,7 +21,7 @@
- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured"
block:
- name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys"
find:
ansible.builtin.find:
paths: /etc/ssh
patterns: 'ssh_host_*_key'
recurse: true
@ -29,7 +29,7 @@
register: rhel9cis_5_2_2_ssh_private_host_key
- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys"
file:
ansible.builtin.file:
path: "{{ item.path }}"
owner: root
group: root
@ -52,7 +52,7 @@
- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured"
block:
- name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys"
find:
ansible.builtin.find:
paths: /etc/ssh
patterns: 'ssh_host_*_key.pub'
recurse: true
@ -60,7 +60,7 @@
register: rhel9cis_5_2_3_ssh_public_host_key
- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys"
file:
ansible.builtin.file:
path: "{{ item.path }}"
owner: root
group: root
@ -82,7 +82,7 @@
- name: "5.2.4 | PATCH | Ensure SSH access is limited"
block:
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^AllowUsers"
line: AllowUsers {{ rhel9cis_sshd['allowusers'] }}
@ -91,7 +91,7 @@
when: "rhel9cis_sshd['allowusers']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^AllowGroups"
line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }}
@ -100,7 +100,7 @@
when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^DenyUsers"
line: DenyUsers {{ rhel9cis_sshd['denyusers'] }}
@ -109,7 +109,7 @@
when: "rhel9cis_sshd['denyusers']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^DenyGroups"
line: DenyGroups {{ rhel9cis_sshd['denygroups'] }}
@ -127,7 +127,7 @@
- rule_5.2.4
- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#LogLevel|^LogLevel"
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
@ -143,7 +143,7 @@
- rule_5.2.5
- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#UsePAM|^UsePAM"
line: 'UsePAM yes'
@ -159,7 +159,7 @@
- rule_5.2.6
- name: "5.2.7 | PATCH | Ensure SSH root login is disabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#PermitRootLogin|^PermitRootLogin"
line: 'PermitRootLogin no'
@ -175,7 +175,7 @@
- rule_5.2.7
- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#HostbasedAuthentication|^HostbasedAuthentication"
line: 'HostbasedAuthentication no'
@ -191,7 +191,7 @@
- rule_5.2.8
- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
line: 'PermitEmptyPasswords no'
@ -207,7 +207,7 @@
- rule_5.2.9
- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
line: 'PermitUserEnvironment no'
@ -223,7 +223,7 @@
- rule_5.2.10
- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#IgnoreRhosts|^IgnoreRhosts"
line: 'IgnoreRhosts yes'
@ -239,7 +239,7 @@
- rule_5.2.11
- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#X11Forwarding|^X11Forwarding"
line: 'X11Forwarding no'
@ -255,7 +255,7 @@
- rule_5.2.12
- name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
line: 'AllowTcpForwarding no'
@ -273,13 +273,13 @@
- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
block:
- name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden"
shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd
ansible.builtin.shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd
changed_when: false
failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] )
register: ssh_crypto_discovery
- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
notify: restart sshd
when: ssh_crypto_discovery.stdout | length > 0
when:
@ -293,7 +293,7 @@
- rule_5.2.14
- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: '^Banner'
line: 'Banner /etc/issue.net'
@ -308,7 +308,7 @@
- rule_5.2.15
- name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries 4'
@ -324,7 +324,7 @@
- rule_5.2.16
- name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#MaxStartups|^MaxStartups"
line: 'MaxStartups 10:30:60'
@ -340,7 +340,7 @@
- rule_5.2.17
- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#MaxSessions|^MaxSessions"
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
@ -356,7 +356,7 @@
- rule_5.2.18
- name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#LoginGraceTime|^LoginGraceTime"
line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
@ -374,14 +374,14 @@
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured"
block:
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: '^ClientAliveInterval'
line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
validate: sshd -t -f %s
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: '^ClientAliveCountMax'
line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"

20
tasks/section_5/cis_5.3.x.yml
View file

@ -1,7 +1,7 @@
---
- name: "5.3.1 | PATCH | Ensure sudo is installed"
package:
ansible.builtin.package:
name: sudo
state: present
when:
@ -15,7 +15,7 @@
- rule_5.3.1
- name: "5.3.2 | PATCH | Ensure sudo commands use pty"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/sudoers
line: "Defaults use_pty"
validate: '/usr/sbin/visudo -cf %s'
@ -30,7 +30,7 @@
- rule_5.3.2
- name: "5.3.3 | PATCH | Ensure sudo log file exists"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: '^Defaults logfile='
line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"'
@ -46,7 +46,7 @@
- rule_5.3.3
- name: "5.3.4 | PATCH | Ensure users must provide password for escalation"
replace:
ansible.builtin.replace:
path: "{{ item }}"
regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
replace: '\1PASSWD\2'
@ -64,7 +64,7 @@
- rule_5.3.4
- name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
replace:
ansible.builtin.replace:
path: "{{ item }}"
regexp: '^([^#].*)!authenticate(.*)'
replace: '\1authenticate\2'
@ -84,13 +84,13 @@
- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
block:
- name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set"
shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
changed_when: false
failed_when: false
register: rhel9cis_5_3_6_timeout_files
- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: 'Defaults timestamp_timeout='
line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
@ -98,7 +98,7 @@
when: rhel9cis_5_3_6_timeout_files.stdout | length == 0
- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
replace:
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'timestamp_timeout=(\d+)'
replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
@ -119,13 +119,13 @@
- name: "5.3.7 | PATCH | Ensure access to the su command is restricted"
block:
- name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/pam.d/su
regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'
- name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
user:
ansible.builtin.user:
name: "{{ rhel9cis_sugroup_users }}"
groups: "{{ rhel9cis_sugroup | default('wheel') }}"
when:

12
tasks/section_5/cis_5.4.x.yml
View file

@ -3,20 +3,20 @@
- name: "5.4.1 | PATCH | Ensure custom authselect profile is used"
block:
- name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles"
shell: 'authselect current | grep "Profile ID: custom/"'
ansible.builtin.shell: 'authselect current | grep "Profile ID: custom/"'
failed_when: false
changed_when: false
check_mode: false
register: rhel9cis_5_4_1_profiles
- name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles"
debug:
ansible.builtin.debug:
msg:
- "Below are the current custom profiles"
- "{{ rhel9cis_5_4_1_profiles.stdout_lines }}"
- name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
when: rhel9cis_authselect_custom_profile_create
when:
- rhel9cis_rule_5_4_1
@ -31,20 +31,20 @@
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock"
block:
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
shell: "authselect current | grep with-faillock"
ansible.builtin.shell: "authselect current | grep with-faillock"
failed_when: false
changed_when: false
check_mode: false
register: rhel9cis_5_4_2_profiles_faillock
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles"
debug:
ansible.builtin.debug:
msg:
- "Below are the current custom profiles"
- "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}"
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
when: rhel9cis_authselect_custom_profile_select
when:
- rhel9cis_rule_5_4_2

20
tasks/section_5/cis_5.5.x.yml
View file

@ -3,7 +3,7 @@
- name: "5.5.1 | PATCH | "
block:
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/security/pwquality.conf
regexp: ^{{ item.name }}
line: "{{ item.name }} = {{ item.value }}"
@ -12,14 +12,14 @@
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/pam.d/password-auth
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
@ -33,7 +33,7 @@
- rule_5.5.1
- name: "5.5.2 | PATCH | Ensure system accounts are secured"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
@ -46,13 +46,13 @@
- name: "5.5.3 | PATCH | Ensure password reuse is limited"
block:
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix"
replace:
ansible.builtin.replace:
path: /etc/pam.d/system-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
@ -67,25 +67,25 @@
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512"
block:
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
replace:
ansible.builtin.replace:
path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
replace:
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
replace:
ansible.builtin.replace:
path: /etc/pam.d/password-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
replace:
ansible.builtin.replace:
path: /etc/pam.d/system-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'

26
tasks/section_5/cis_5.6.1.x.yml
View file

@ -1,7 +1,7 @@
---
- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
@ -16,7 +16,7 @@
- rule_5.5.1.1
- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MIN_DAYS'
line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
@ -31,7 +31,7 @@
- rule_5.6.1.2
- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_WARN_AGE'
line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
@ -48,24 +48,24 @@
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less"
block:
- name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings"
shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
ansible.builtin.shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_5_6_1_4_inactive_settings
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0
- name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
changed_when: false
check_mode: false
register: rhel_8_5_6_1_4_user_list
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
with_items:
- "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}"
when:
@ -81,33 +81,33 @@
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past"
block:
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
shell: echo $(($(date --utc --date "$1" +%s)/86400))
ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400))
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_5_6_1_5_currentut
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'"
ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'"
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_5_6_1_5_user_list
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"
debug:
ansible.builtin.debug:
msg: "Good News! All accounts have PW change dates that are in the past"
when: rhel9cis_5_6_1_5_user_list.stdout | length == 0
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
debug:
ansible.builtin.debug:
msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
when:
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count"
set_fact:
ansible.builtin.set_fact:
control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]"
warn_count: "{{ warn_count | int + 1 }}"
when:
@ -115,7 +115,7 @@
- not rhel9cis_futurepwchgdate_autofix
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
command: passwd --expire {{ item }}
ansible.builtin.command: passwd --expire {{ item }}
when:
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
- rhel9cis_futurepwchgdate_autofix

19
tasks/section_5/cis_5.6.x.yml
View file

@ -3,7 +3,7 @@
- name: "5.6.2 | PATCH | Ensure system accounts are secured"
block:
- name: "5.6.2 | Ensure system accounts are secured | Set nologin"
user:
ansible.builtin.user:
name: "{{ item.id }}"
shell: /usr/sbin/nologin
with_items:
@ -21,11 +21,10 @@
label: "{{ item.id }}"
- name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts"
user:
ansible.builtin.user:
name: "{{ item.id }}"
password_lock: true
with_items:
- "{{ rhel9cis_passwd }}"
loop: "{{ rhel9cis_passwd }}"
when:
- item.id != "halt"
- item.id != "shutdown"
@ -48,7 +47,7 @@
- rule_5.6.2
- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
blockinfile:
ansible.builtin.blockinfile:
create: true
mode: 0644
dest: "{{ item.dest }}"
@ -58,7 +57,7 @@
TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
export TMOUT
readonly TMOUT
with_items:
loop:
- { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present }
- { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" }
when:
@ -72,7 +71,7 @@
- rule_5.6.3
- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
user:
ansible.builtin.user:
name: root
group: 0
when:
@ -88,7 +87,7 @@
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
block:
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings"
replace:
ansible.builtin.replace:
path: /etc/login.defs
regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}"
@ -97,13 +96,13 @@
- { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' }
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
replace:
ansible.builtin.replace:
path: /etc/bashrc
regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]'
replace: '\1 027'
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
replace:
ansible.builtin.replace:
path: /etc/profile
regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]'
replace: '\1 027'