diff --git a/defaults/main.yml b/defaults/main.yml index 2cbbbc8..3436dea 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -71,7 +71,6 @@ audit_cmd_timeout: 60000 # Section 1 rules rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true -rhel9cis_rule_1_1_1_3: true rhel9cis_rule_1_1_2_1: true rhel9cis_rule_1_1_2_2: true rhel9cis_rule_1_1_2_3: true @@ -79,7 +78,6 @@ rhel9cis_rule_1_1_2_4: true rhel9cis_rule_1_1_3_1: true rhel9cis_rule_1_1_3_2: true rhel9cis_rule_1_1_3_3: true -rhel9cis_rule_1_1_3_4: true rhel9cis_rule_1_1_4_1: true rhel9cis_rule_1_1_4_2: true rhel9cis_rule_1_1_4_3: true @@ -95,26 +93,24 @@ rhel9cis_rule_1_1_6_4: true rhel9cis_rule_1_1_7_1: true rhel9cis_rule_1_1_7_2: true rhel9cis_rule_1_1_7_3: true -rhel9cis_rule_1_1_7_4: true -rhel9cis_rule_1_1_7_5: true rhel9cis_rule_1_1_8_1: true rhel9cis_rule_1_1_8_2: true rhel9cis_rule_1_1_8_3: true +rhel9cis_rule_1_1_8_4: true rhel9cis_rule_1_1_18: true rhel9cis_rule_1_1_19: true rhel9cis_rule_1_1_20: true rhel9cis_rule_1_1_21: true rhel9cis_rule_1_1_9: true -rhel9cis_rule_1_1_10: true rhel9cis_rule_1_2_1: true rhel9cis_rule_1_2_2: true rhel9cis_rule_1_2_3: true rhel9cis_rule_1_2_4: true rhel9cis_rule_1_3_1: true rhel9cis_rule_1_3_2: true +rhel9cis_rule_1_3_3: true rhel9cis_rule_1_4_1: true rhel9cis_rule_1_4_2: true -rhel9cis_rule_1_4_3: true rhel9cis_rule_1_5_1: true rhel9cis_rule_1_5_2: true rhel9cis_rule_1_5_3: true @@ -125,6 +121,7 @@ rhel9cis_rule_1_6_1_4: true rhel9cis_rule_1_6_1_5: true rhel9cis_rule_1_6_1_6: true rhel9cis_rule_1_6_1_7: true +rhel9cis_rule_1_6_1_8: true rhel9cis_rule_1_7_1: true rhel9cis_rule_1_7_2: true rhel9cis_rule_1_7_3: true @@ -136,6 +133,11 @@ rhel9cis_rule_1_8_2: true rhel9cis_rule_1_8_3: true rhel9cis_rule_1_8_4: true rhel9cis_rule_1_8_5: true +rhel9cis_rule_1_8_6: true +rhel9cis_rule_1_8_7: true +rhel9cis_rule_1_8_8: true +rhel9cis_rule_1_8_9: true +rhel9cis_rule_1_8_10: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true @@ -160,21 +162,16 @@ rhel9cis_rule_2_2_15: true rhel9cis_rule_2_2_16: true rhel9cis_rule_2_2_17: true rhel9cis_rule_2_2_18: true -rhel9cis_rule_2_2_19: true -rhel9cis_rule_2_2_20: true rhel9cis_rule_2_3_1: true rhel9cis_rule_2_3_2: true rhel9cis_rule_2_3_3: true rhel9cis_rule_2_3_4: true -rhel9cis_rule_2_3_5: true -rhel9cis_rule_2_3_6: true rhel9cis_rule_2_4: true Section 3 rules rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true -rhel9cis_rule_3_1_4: true rhel9cis_rule_3_2_1: true rhel9cis_rule_3_2_2: true rhel9cis_rule_3_3_1: true @@ -188,11 +185,6 @@ rhel9cis_rule_3_3_8: true rhel9cis_rule_3_3_9: true rhel9cis_rule_3_4_1_1: true rhel9cis_rule_3_4_1_2: true -rhel9cis_rule_3_4_1_3: true -rhel9cis_rule_3_4_1_4: true -rhel9cis_rule_3_4_1_5: true -rhel9cis_rule_3_4_1_6: true -rhel9cis_rule_3_4_1_7: true rhel9cis_rule_3_4_2_1: true rhel9cis_rule_3_4_2_2: true rhel9cis_rule_3_4_2_3: true @@ -200,11 +192,6 @@ rhel9cis_rule_3_4_2_4: true rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true rhel9cis_rule_3_4_2_7: true -rhel9cis_rule_3_4_2_8: true -rhel9cis_rule_3_4_2_9: true -rhel9cis_rule_3_4_2_10: true -rhel9cis_rule_3_4_2_11: true - # Section 4 rules rhel9cis_rule_4_1_1_1: true @@ -235,6 +222,16 @@ rhel9cis_rule_4_1_3_18: true rhel9cis_rule_4_1_3_19: true rhel9cis_rule_4_1_3_20: true rhel9cis_rule_4_1_3_21: true +rhel9cis_rule_4_1_4_1: true +rhel9cis_rule_4_1_4_2: true +rhel9cis_rule_4_1_4_3: true +rhel9cis_rule_4_1_4_4: true +rhel9cis_rule_4_1_4_5: true +rhel9cis_rule_4_1_4_6: true +rhel9cis_rule_4_1_4_7: true +rhel9cis_rule_4_1_4_8: true +rhel9cis_rule_4_1_4_9: true +rhel9cis_rule_4_1_4_10: true rhel9cis_rule_4_2_1_1: true rhel9cis_rule_4_2_1_2: true rhel9cis_rule_4_2_1_3: true @@ -253,9 +250,7 @@ rhel9cis_rule_4_2_2_5: true rhel9cis_rule_4_2_2_6: true rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true -rhel9cis_rule_4_3_1: true -rhel9cis_rule_4_3_2: true -rhel9cis_rule_4_3_3: true +rhel9cis_rule_4_3: true # Section 5 rules rhel9cis_rule_5_1_1: true @@ -400,6 +395,8 @@ rhel9cis_aide_cron: # SELinux policy rhel9cis_selinux_pol: targeted +# chose onf or enfocing or permissive +rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment @@ -417,13 +414,12 @@ rhel9cis_chrony_server_options: "minpoll 8" ### 2.2 Special Purposes ##### Service configuration booleans set true to keep service -rhel9cis_xinetd_server: false rhel9cis_gui: false rhel9cis_avahi_server: false rhel9cis_cups_server: false rhel9cis_dhcp_server: false rhel9cis_dns_server: false -rhel9cis_ftp_server: false +rhel9cis_dnsmasq_server: false rhel9cis_vsftpd_server: false rhel9cis_tftp_server: false rhel9cis_httpd_server: false @@ -433,7 +429,6 @@ rhel9cis_imap_server: false rhel9cis_samba_server: false rhel9cis_squid_server: false rhel9cis_snmp_server: false -rhel9cis_nis_server: false rhel9cis_telnet_server: false rhel9cis_is_mail_server: false # Note the options @@ -450,12 +445,10 @@ rhel9cis_use_rsync_server: false rhel9cis_use_rsync_service: false #### 2.3 Service clients -rhel9cis_ypbind_required: false -rhel9cis_rsh_required: false -rhel9cis_talk_required: false rhel9cis_telnet_required: false rhel9cis_openldap_clients_required: false rhel9cis_tftp_client: false +rhel9cis_ftp_client: false ## Section3 vars @@ -473,15 +466,29 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy + +# These are the default service add accordingly +rhel9_firewalld_service: + - ssh + - dhcpv6-client +# These are added to demonstrate how this can be done +rhel9cis_firewalld_ports: + - number: 80 + protocol: tcp #### nftables -rhel9cis_nftables_firewalld_state: masked rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true - - +rhel9_nftables_ports: + - port: ssh + protocol: tcp + type: dport + rule: accept + - port: igmp + protocol: ip + type: protocol + rule: accept # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | Authorized uses only. All activity may be monitored and reported. @@ -522,6 +529,10 @@ rhel9cis_preferred_log_capture: rsyslog #### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: logagg.example.com +rhel9cis_remote_log_port: 514 +rhel9cis_remote_log_protocol: tcp +rhel9cis_remote_log_retrycount: 100 +rhel9cis_remote_log_queuesize: 1000 #### 4.2.1.7 rhel9cis_system_is_log_server: false diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 258b64f..d21e6c4 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -18,92 +18,88 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.1.1 -- name: "4.1.1.2 | PATCH | Ensure auditd service is enabled" - service: - name: auditd - state: started - enabled: true +- name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" + block: + - name: "4.1.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" + shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_4_1_1_2_grub_cmdline_linux + + - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" + replace: + dest: /etc/default/grub + regexp: 'audit=.' + replace: 'audit=1' + notify: grub2cfg + when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" + + - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"' + notify: grub2cfg + when: "'audit=' not in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" when: - rhel9cis_rule_4_1_1_2 tags: - level2-server - level2-workstation - - automated - patch - auditd + - grub - rule_4.1.1.2 -- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" +- name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" block: - - name: "4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" + - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false register: rhel9cis_4_1_1_3_grub_cmdline_linux - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" - replace: - dest: /etc/default/grub - regexp: 'audit=.' - replace: 'audit=1' - notify: grub2cfg - when: "'audit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit=1"' - notify: grub2cfg - when: "'audit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - when: - - rhel9cis_rule_4_1_1_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - auditd - - grub - - rule_4.1.1.3 - -- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" - block: - - name: "4.1.1.4 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" - shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_4_1_1_4_grub_cmdline_linux - - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" + - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" replace: dest: /etc/default/grub regexp: 'audit_backlog_limit=\d+' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' notify: grub2cfg - when: "'audit_backlog_limit=' in rhel9cis_4_1_1_4_grub_cmdline_linux.stdout" + when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" + - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: '{{ rhel9cis_4_1_1_4_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' + line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' notify: grub2cfg - when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_4_grub_cmdline_linux.stdout" + when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" + when: + - rhel9cis_rule_4_1_1_3 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - grub + - rule_4.1.1.3 + +- name: "4.1.1.4 | PATCH | Ensure auditd service is enabled" + service: + name: auditd + state: started + enabled: true when: - rhel9cis_rule_4_1_1_4 tags: - level2-server - level2-workstation - - automated - patch - auditd - - grub - rule_4.1.1.4 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index a3ab990..62bee82 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -27,7 +27,6 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.2.2 @@ -47,7 +46,6 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.2.3 @@ -64,6 +62,5 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 8272b7e..ec61402 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -2,63 +2,59 @@ # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_1 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.1 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_2 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.2 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_3 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.3 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_4 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.4 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_5 @@ -81,7 +77,7 @@ register: priv_procs - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true notify: update auditd when: @@ -89,98 +85,91 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.6 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_7 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3_7 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_8 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.8 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_9 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.9 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_10 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.10 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_11 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.11 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_12 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.12 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_13 @@ -193,104 +182,97 @@ # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_14 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.14 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_15 tags: - level2-server - level2- workstation - - automated - patch - auditd - rule_4.1.3.15 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_16 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.16 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_17 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.17 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_18 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.18 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_19 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.19 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_20 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.20 - name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same" - debug: + ansible.builtin.debug: msg: - "Please run augenrules --load if you suspect there is a configuration that is not active" when: @@ -304,7 +286,7 @@ - rule_4.1.3.21 - name: Auditd | 4.1.3 | Auditd controls updated - debug: + ansible.builtin.debug: msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules" changed_when: false when: diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml new file mode 100644 index 0000000..b7828ae --- /dev/null +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -0,0 +1,188 @@ +--- + +- name: | + "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" + "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" + "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" + + block: + - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file" + ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' + register: audit_logfile + changed_when: false + + - name: | + "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" + "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" + "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" + ansible.builtin.file: + path: "{{ audit_logfile.stdout }}" + state: file + mode: 0640 + owner: root + group: root + when: + - rhel9cis_rule_4_1_4_1 or + rhel9cis_rule_4_1_4_2 or + rhel9cis_rule_4_1_4_3 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.1 + - rule_4.1.4.2 + - rule_4.1.4.3 + +- name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive" + block: + - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" + ansible.builtin.stat: + path: "{{ audit_logfile.stdout | dirname }}" + register: auditlog_dir + + - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: directory + mode: 0750 + when: not auditlog_dir.stat.mode is match('07(0|5)0') + when: + - rhel9cis_rule_4_1_4_4 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.4 + +- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" + block: + + - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions" + ansible.builtin.stat: + path: "{{ item.path }}" + register: item_file + loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}" + loop_control: + label: "{{ item.path }}" + + - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: file + mode: 0640 + loop: "{{ audit_config_files }}" + when: not item_file.stat.mode is match('06(0|4)0') + when: + - rhel9cis_rule_4_1_4_5 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.5 + +- name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: file + owner: root + loop: "{{ audit_config_files }}" + when: + - rhel9cis_rule_4_1_4_6 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.6 + +- name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: file + group: root + loop: "{{ audit_config_files }}" + when: + - rhel9cis_rule_4_1_4_7 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.7 + +- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" + block: + - name: "PRELIM | 4.1.4.8 | Get audit binarty file stat | get current mode" + ansible.builtin.stat: + path: "{{ item }}" + register: "audit_bins" + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + + - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" + ansible.builtin.file: + path: "{{ item }}" + state: file + mode: 0750 + register: "audit_bins" + loop: "{{ audit_bins.results.stat.path }}" + when: not audit_bins.stat.mode is match('07(0|5)(0|5)') + when: + - rhel9cis_rule_4_1_4_8 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.8 + +- name: "4.1.4.9 | PATCH | Ensure audit tools are owned by root" + ansible.builtin.file: + path: "{{ item }}" + state: file + owner: root + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + when: + - rhel9cis_rule_4_1_4_9 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.9 + +- name: "4.1.4.10 | PATCH | Ensure audit tools belong to group root" + ansible.builtin.file: + path: "{{ item }}" + state: file + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + when: + - rhel9cis_rule_4_1_4_10 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.10 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 12afac1..e34f677 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -1,7 +1,7 @@ --- - name: "4.2.1.1 | PATCH | Ensure rsyslog installed" - package: + ansible.builtin.package: name: rsyslog state: present when: @@ -10,13 +10,12 @@ tags: - level1-server - level1-workstation - - automated - patch - rsyslog - rule_4.2.1.1 - name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" - service: + ansible.builtin.systemd: name: rsyslog enabled: true when: @@ -24,29 +23,27 @@ tags: - level1-server - level1-workstation - - automated - patch - rsyslog - rule_4.2.1.2 -# This is counter to control 4.2.2.5?? - name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" line: ForwardToSyslog=yes + notify: restart rsyslog when: - rhel9cis_rule_4_2_1_3 - rhel9cis_preferred_log_capture == "rsyslog" tags: - level1-server - level1-workstation - - manual - patch - rule_4.2.1.3 - name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' @@ -56,7 +53,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rsyslog - rule_4.2.1.4 @@ -64,20 +60,20 @@ - name: "4.2.1.5 | PATCH | Ensure logging is configured" block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - command: cat /etc/rsyslog.conf + ansible.builtin.command: cat /etc/rsyslog.conf changed_when: false failed_when: false check_mode: false register: rhel_08_4_2_1_5_audit - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - debug: + ansible.builtin.debug: msg: - "These are the current logging configurations for rsyslog, please review:" - "{{ rhel_08_4_2_1_5_audit.stdout_lines }}" - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "# {mark} MAIL LOG SETTINGS (ANSIBLE MANAGED)" @@ -92,7 +88,7 @@ when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "# {mark} NEWS LOG SETTINGS (ANSIBLE MANAGED)" @@ -105,7 +101,7 @@ when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "# {mark} MISC. LOG SETTINGS (ANSIBLE MANAGED)" @@ -119,7 +115,7 @@ when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)" @@ -134,7 +130,7 @@ notify: restart rsyslog - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" @@ -145,7 +141,7 @@ notify: restart rsyslog - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)" @@ -159,18 +155,17 @@ tags: - level1-server - level1-workstation - - manual - patch - rsyslog - rule_4.2.1.5 - name: "4.2.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present block: | - # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional - *.* @@{{ rhel9cis_remote_log_server }} + # target can be IP or FQDN + *.* action(type="omfwd" target="{{ rhel9cis_remote_log_server }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}") insertafter: EOF register: result failed_when: @@ -179,11 +174,10 @@ notify: restart rsyslog when: - rhel9cis_rule_4_2_1_6 - - rhel9cis_remote_log_server is defined + - rhel9cis_remote_log_server tags: - level1-server - level1-workstation - - manual - patch - rsyslog - rule_4.2.1.6 @@ -191,20 +185,20 @@ - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" block: - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host" - replace: + ansible.builtin.replace: path: /etc/rsyslog.conf - regexp: '({{ item }})' + regexp: '{{ item }}' replace: '#\1' notify: restart rsyslog with_items: - - '^(\$ModLoad imtcp)' - - '^(\$InputTCPServerRun)' - - '^(module\(load="imtcp"\))' - - '^(input\(type="imtcp")' + - '^\$ModLoad imtcp' + - '^\$InputTCPServerRun' + - '^module\(load="imtcp"\)' + - '^input\(type="imtcp" port=.*\)' when: not rhel9cis_system_is_log_server - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" - replace: + ansible.builtin.replace: path: /etc/rsyslog.conf regexp: '^#(.*{{ item }}.*)' replace: '\1' @@ -213,14 +207,13 @@ - 'ModLoad imtcp' - 'InputTCPServerRun' - 'module\(load="imtcp"\)' - - 'input\(type="imtcp"' + - 'input\(type="imtcp" port=".*")' when: rhel9cis_system_is_log_server when: - rhel9cis_rule_4_2_1_7 tags: - level1-server - level1-workstation - - automated - patch - rsyslog - rule_4.2.1.7 diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index f172f96..08db497 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -1,7 +1,7 @@ --- - name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" - package: + ansible.builtin.package: name: systemd-journal-remote state: present when: @@ -15,7 +15,7 @@ - rule_4.2.2.1.1 - name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -36,7 +36,7 @@ - rule_4.2.2.1.2 - name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled" - systemd: + ansible.builtin.systemd: name: systemd-journal-upload state: started enabled: true @@ -52,7 +52,7 @@ - rule_4.2.2.1.3 - name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" - systemd: + ansible.builtin.systemd: name: systemd-journal-remote.socket state: stopped enabled: false @@ -71,25 +71,25 @@ - name: "4.2.2.2 | PATCH | Ensure journald service is enabled" block: - name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service" - systemd: + ansible.builtin.systemd: name: systemd-journald state: started enabled: true - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" - shell: systemctl is-enabled systemd-journald.service + ansible.builtin.shell: systemctl is-enabled systemd-journald.service changed_when: false failed_when: false register: rhel9cis_4_2_2_2_status - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" - debug: + ansible.builtin.debug: msg: - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" warn_count: "{{ warn_count | int + 1 }}" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" @@ -104,10 +104,11 @@ - rule_4.2.2.2 - name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes + notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_3 tags: @@ -119,10 +120,11 @@ - rule_4.2.2.3 - name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent + notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_4 tags: @@ -135,7 +137,7 @@ # This is counter to control 4.2.1.3?? - name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" @@ -151,7 +153,7 @@ - rule_4.2.2.5 - name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -175,35 +177,21 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured" block: - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" - find: - paths: /etc/tmpfiles.d - patterns: systemd.conf - register: rhel9cis_4_2_2_7_override_status + ansible.builtin.stat: + path: /etc/tmpfiles.d/systemd.conf + register: rhel9cis_4_2_2_7_override - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get override file settings" - shell: cat /etc/tmpfiles.d/systemd.conf - changed_when: false - failed_when: false - register: rhel9cis_4_2_2_7_override_settings - when: rhel9cis_4_2_2_7_override_status.matched >= 1 + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Set live file" + ansible.builtin.set_fact: + systemd_conf_file: /etc/tmpfiles.d/systemd.conf + when: rhel9cis_4_2_2_7_override_stat.exists - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get non-override file settings" - shell: cat /usr/lib/tmpfiles.d/systemd.conf - changed_when: false - failed_when: false - register: rhel9cis_4_2_2_7_notoverride_settings - when: rhel9cis_4_2_2_7_override_status.matched == 0 + - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission" + ansible.builtin.lineinfile: + path: "{{ /etc/tmpfiles.d/systemd.conf | default('/usr/lib/tmpfiles.d/systemd.conf') }}" + regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root" + line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings" - debug: - msg: - - "Warning!! Below are the current default settings for journald, please confirm they align with your site policies" - - "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}" - - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]" - warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_4_2_2_7 tags: diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index a1b3bb7..e1e6bec 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -1,9 +1,18 @@ --- - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" - command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + - changed_when: false - failed_when: false + block: + - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" + ansible.builtin.find: + paths: "/var/log" + type: file + register: logfiles + + - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" + ansible.builtin.file: + paths: "{{ item.path }}" + mode: 0640 + register: logfiles when: - rhel9cis_rule_4_2_3 tags: diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 2283d6a..6709458 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -1,43 +1,25 @@ --- -- name: "4.3.1 | PATCH | Ensure logrotate is installed" - package: - name: rsyslog-logrotate - state: present - when: - - rhel9cis_rule_4_3_1 - tags: - - level1-server - - level1-workstation - - manual - - patch - - logrotate - - rule_4.3.1 - -- name: "4.3.2 | PATCH | Ensure logrotate is running and enabled" - systemd: - name: logrotate.timer - state: started - enabled: true - when: - - rhel9cis_rule_4_3_2 - tags: - - level1-server - - level1-workstation - - manual - - patch - - logrotate - - rule_4.3.2 - -- name: "4.3.3 | PATCH | Ensure logrotate is configured" +- name: "4.3 | PATCH | Ensure logrotate is configured" block: - - name: "4.3.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" - find: + - name: "4.3 | PATCH | Ensure logrotate is configured | installed" + ansible.builtin.package: + name: rsyslog-logrotate + state: present + + - name: "4.3.2 | PATCH | Ensure logrotate is configured | scheduled" + ansible.builtin.systemd: + name: logrotate.timer + state: started + enabled: true + + - name: "4.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" + ansible.builtin.find: paths: /etc/logrotate.d/ register: log_rotates - - name: "4.3.3 | PATCH | Ensure logrotate is configured" - replace: + - name: "4.3 | PATCH | Ensure logrotate is configured" + ansible.builtin.replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' replace: "\\1{{ rhel9cis_logrotate }}" @@ -47,11 +29,11 @@ loop_control: label: "{{ item.path }}" when: - - rhel9cis_rule_4_3_3 + - rhel9cis_rule_4_3 tags: - level1-server - level1-workstation - manual - patch - logrotate - - rule_4.3.3 + - rule_4.3.1 diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 1431ed4..89f2787 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -3,7 +3,7 @@ ## metadata for benchmark ## metadata for Audit benchmark -benchmark_version: '2.0.0' +benchmark_version: '1.0.0' # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS # If run via script this is discovered and set @@ -44,7 +44,6 @@ rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} # 1.1.1 Disable unused filesystems rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }} rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }} -rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }} # 1.1.2 Configure /tmp rhel9cis_rule_1_1_2_1: {{ rhel9cis_rule_1_1_2_1 }} rhel9cis_rule_1_1_2_2: {{ rhel9cis_rule_1_1_2_2 }} @@ -74,28 +73,25 @@ rhel9cis_rule_1_1_6_4: {{ rhel9cis_rule_1_1_6_4 }} rhel9cis_rule_1_1_7_1: {{ rhel9cis_rule_1_1_7_1 }} rhel9cis_rule_1_1_7_2: {{ rhel9cis_rule_1_1_7_2 }} rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }} -rhel9cis_rule_1_1_7_4: {{ rhel9cis_rule_1_1_7_4 }} -rhel9cis_rule_1_1_7_5: {{ rhel9cis_rule_1_1_7_5 }} # 1.1.8 Configure /dev/shm rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }} rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }} rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }} -# 1.9 autofs +rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_4 }} +# 1.9 usb-storage rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} -# 1.10 usb-storage -rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }} # 1.2 Configure Software Updates -rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed +rhel9cis_rule_1_2_1: {{ rhel9cis_rule_1_2_1 }} rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }} rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }} rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }} # 1.3 Filesystem Integrity Checking rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }} rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} +rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} # 1.4 Secure Boot Settings rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} -rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} # 1.5 Additional Process Hardening rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} @@ -108,6 +104,7 @@ rhel9cis_rule_1_6_1_4: {{ rhel9cis_rule_1_6_1_4 }} rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }} rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }} rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }} +rhel9cis_rule_1_6_1_8: {{ rhel9cis_rule_1_6_1_8 }} # 1.7 Command Line Warning Banners rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }} rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }} @@ -121,6 +118,11 @@ rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }} rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }} rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }} +rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_6 }} +rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_7 }} +rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_8 }} +rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_9 }} +rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_10 }} # 1.9 Ensure updates, patches, and additional security software are installed rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} # Ensure system-wide crypto policy is not legacy @@ -151,24 +153,19 @@ rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }} rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }} rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }} rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }} -rhel9cis_rule_2_2_19: {{ rhel9cis_rule_2_2_19 }} -rhel9cis_rule_2_2_20: {{ rhel9cis_rule_2_2_20 }} # 2.3 service clients rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }} rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }} -rhel9cis_rule_2_3_5: {{ rhel9cis_rule_2_3_5 }} -rhel9cis_rule_2_3_6: {{ rhel9cis_rule_2_3_6 }} -rhel9cis_rule_2_4: true # todo +rhel9cis_rule_2_4: true # Section 3 rules # 3.1 Disable unused network protocols and devices rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }} -rhel9cis_rule_3_1_4: {{ rhel9cis_rule_3_1_4 }} # 3.2 Network Parameters (Host Only) rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} @@ -185,11 +182,7 @@ rhel9cis_rule_3_3_9: {{ rhel9cis_rule_3_3_9 }} # 3.4.1 Configure firewalld rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }} rhel9cis_rule_3_4_1_2: {{ rhel9cis_rule_3_4_1_2 }} -rhel9cis_rule_3_4_1_3: {{ rhel9cis_rule_3_4_1_3 }} -rhel9cis_rule_3_4_1_4: {{ rhel9cis_rule_3_4_1_4 }} -rhel9cis_rule_3_4_1_5: {{ rhel9cis_rule_3_4_1_5 }} -rhel9cis_rule_3_4_1_6: {{ rhel9cis_rule_3_4_1_6 }} -rhel9cis_rule_3_4_1_7: {{ rhel9cis_rule_3_4_1_7 }} + # 3.4.1 Configure nftables rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }} rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }} @@ -198,10 +191,7 @@ rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }} rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }} rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }} rhel9cis_rule_3_4_2_7: {{ rhel9cis_rule_3_4_2_7 }} -rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }} -rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }} -rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }} -rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }} + # Section 4 rules # 4.1 Configure System Accounting @@ -238,6 +228,18 @@ rhel9cis_rule_4_1_3_19: {{ rhel9cis_rule_4_1_3_19 }} rhel9cis_rule_4_1_3_20: {{ rhel9cis_rule_4_1_3_20 }} rhel9cis_rule_4_1_3_21: {{ rhel9cis_rule_4_1_3_21 }} +# 4.1.4 Configure auditd file Access +rhel9cis_rule_4_1_4_1: {{ rhel9cis_rule_4_1_4_1 }} +rhel9cis_rule_4_1_4_2: {{ rhel9cis_rule_4_1_4_2 }} +rhel9cis_rule_4_1_4_3: {{ rhel9cis_rule_4_1_4_3 }} +rhel9cis_rule_4_1_4_4: {{ rhel9cis_rule_4_1_4_4 }} +rhel9cis_rule_4_1_4_5: {{ rhel9cis_rule_4_1_4_5 }} +rhel9cis_rule_4_1_4_6: {{ rhel9cis_rule_4_1_4_6 }} +rhel9cis_rule_4_1_4_7: {{ rhel9cis_rule_4_1_4_7 }} +rhel9cis_rule_4_1_4_8: {{ rhel9cis_rule_4_1_4_8 }} +rhel9cis_rule_4_1_4_9: {{ rhel9cis_rule_4_1_4_9 }} +rhel9cis_rule_4_1_4_10: {{ rhel9cis_rule_4_1_4_10 }} + # 4.2.1 Configure rsyslog rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} @@ -262,9 +264,8 @@ rhel9cis_rule_4_2_2_7: {{ rhel9cis_rule_4_2_2_7 }} rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} # 4.3 Logrotate -rhel9cis_rule_4_3_1: {{ rhel9cis_rule_4_3_1 }} -rhel9cis_rule_4_3_2: {{ rhel9cis_rule_4_3_2 }} -rhel9cis_rule_4_3_3: {{ rhel9cis_rule_4_3_3 }} +rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} + # Section 5 # Authentication and Authorization @@ -391,12 +392,11 @@ rhel9_aide_scan: cron # Set to 'true' if X Windows is needed in your environment rhel9cis_xwindows_required: false ### Service configuration booleans set true to keep service -rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} rhel9cis_cups_server: {{ rhel9cis_cups_server }} rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} rhel9cis_dns_server: {{ rhel9cis_dns_server }} -rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} +rhel9cis_dnsmasq_server: {{ rhel9cis_dnsmasq_server }} rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} @@ -406,7 +406,6 @@ rhel9cis_imap_server: {{ rhel9cis_imap_server }} rhel9cis_samba_server: {{ rhel9cis_samba_server }} rhel9cis_squid_server: {{ rhel9cis_squid_server }} rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} -rhel9cis_nis_server: {{ rhel9cis_nis_server }} rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} @@ -421,12 +420,10 @@ rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync_server }} rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync_service }} #### 2.3 Service clients -rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} -rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} -rhel9cis_talk_required: {{ rhel9cis_talk_required }} rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} +rhel9cis_ftp_client: {{ rhel9cis_ftp_client }} # Section 3